News

RealNetworks patch fails to fix flaws, says security expert

A RealNetworks security patch for its media player software is flawed, leaving millions of users at risk of attacks, a security researcher warned yesterday.

RealNetworks last week posted a software update on its Web site to fix three security flaws in the Windows versions of the RealOne Player and RealPlayer.

An attacker could take over a computer running the media player software by encouraging a user to download a malformed file, RealNetworks said in a security advisory posted on its Web site last week.

However, the software patch "does not do its job", according to Mark Litchfield, a security researcher with Next Generation Security Software.

It is still possible to cause a buffer overrun by making a couple of simple modifications to the attacks on the software, Litchfield said. He alerted RealNetworks and is now helping the company come up with a fix that plugs the security holes.

In a buffer overrun attack, an attacker exploits an unchecked buffer in a program to load their own code onto a system and run that.

RealNetworks confirmed in a statement yesterday that Litchfield is looking at a new security fix and that this should be posted "shortly". The company said it took all buffer overrun bugs seriously, but added that Litchfield "has not been able to demonstrate how to exploit the buffer overruns for malicious intent".

Litchfield has tested several new patches, but all were flawed. "The third one last night had only one overflow, so I am hoping they will have a final patch out in the next two days or so," he said.

The original patch was not offered to Litchfield for testing, although he did offer to test it when he first told RealNetworks about the flaws on 1 November.

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy