RealNetworks fixes media player vulnerabilities

RealNetworks has reviewed the code of its media player software and will deliver a patch by Christmas to fix all the security...

RealNetworks has reviewed the code of its media player software and will deliver a patch by Christmas to fix all the security flaws it has found.

"RealNetworks has undertaken a comprehensive review of all of the RealOne Player code to reduce the possibility that any vulnerabilities remain. An update of the RealOne Player that contains identified fixes will be available by 25 December," RealNetworks said.

A UK security expert identified nine vulnerabilities in the Windows versions of the RealOne Player and RealPlayer. By encouraging the user to download a malformed file, an attacker could run take over a user's computer.

RealNetworks released a patch to fix three of the flaws late last month, but the patch was flawed. The company has been working on a new patch since then.

The company stressed it has received no reports of any attacks, but that it takes all potential vulnerabilities very seriously and continues to work with security professionals to verify and fix the "buffer overrun" errors.

Next Generation Security Software researcher Mark Litchfield discovered the flaws in the RealNetworks software and first alerted the Seattle company in early November. Litchfield said he was no longer working on the issue with RealNetworks, but praised the company for its swift action.

"Real has turned out to be one of the quickest vendors to patch their issues. Some of the large software vendors take up to a year to patch vulnerabilities," said Litchfield.

Litchfield also expected RealNetworks to issue a patch for its Helix Universal Server media server product soon. There are three buffer overrun flaws in the product that is used by many to offer online streaming media, he said.

RealNetworks has already sent Litchfield a test version of the patch to fix the flaws in Helix Universal Server and the patch worked. "The patch should go out any time now," said Litchfield.

No one at RealNetworks was immediately available for comment on the Helix Universal Server flaws.

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.