RealNetworks has reviewed the code of its media player software and
will deliver a patch by Christmas to fix all the security flaws it
has found.
"RealNetworks has undertaken a comprehensive review of all of the
RealOne Player code to reduce the possibility that any
vulnerabilities remain. An update of the RealOne Player that
contains identified fixes will be available by 25 December,"
RealNetworks said.
A UK security expert identified nine vulnerabilities in the Windows
versions of the RealOne Player and RealPlayer. By encouraging the
user to download a malformed file, an attacker could run take over
a user's computer.
RealNetworks released a patch to fix three of the flaws late last
month, but the patch was flawed. The company has been working on a
new patch since then.
The company stressed it has received no reports of any attacks, but
that it takes all potential vulnerabilities very seriously and
continues to work with security professionals to verify and fix the
"buffer overrun" errors.
Next Generation Security Software researcher Mark Litchfield
discovered the flaws in the RealNetworks software and first alerted
the Seattle company in early November. Litchfield said he was no
longer working on the issue with RealNetworks, but praised the
company for its swift action.
"Real has turned out to be one of the quickest vendors to patch
their issues. Some of the large software vendors take up to a year
to patch vulnerabilities," said Litchfield.
Litchfield also expected RealNetworks to issue a patch for its
Helix Universal Server media server product soon. There are three
buffer overrun flaws in the product that is used by many to offer
online streaming media, he said.
RealNetworks has already sent Litchfield a test version of the
patch to fix the flaws in Helix Universal Server and the patch
worked. "The patch should go out any time now," said Litchfield.
No one at RealNetworks was immediately available for comment on the
Helix Universal Server flaws.