RealPlayer Lets Attackers
Take Over Your Computer
Severity: Medium
11 June, 2004

Summary:
Late yesterday, security research teams eEye Digital Security and iDEFENSE announced two new buffer overflow vulnerabilities in RealPlayer 10 (and earlier versions). By enticing one of your users into opening a specially-crafted Real media file, an attacker can exploit either vulnerability to execute code on your user's computer, with the user's privileges. If your users have local administrative privileges, the attacker could gain total control of their machines. If you allow the use of RealPlayer in your network, have your users upgrade the application as soon as possible.

Exposure:
RealPlayer and RealOne Player are widely-used software for Internet media delivery. RealOne Player plays virtually every major Internet media format, including Windows Media, Quicktime, MPEG-4, and even DVDs. If you've watched streaming videos on the Internet, or listened to music samples while buying CDs online, you've probably encountered RealPlayer.

WatchGuard does not recommend using RealPlayer or RealOne Player, partly because both contain automatic communication features which, by default, let RealNetworks and RealNetwork's "partners" (such as NASCAR and CNN) control what software they install on your client computers. But we acknowledge reality: many of your users have probably installed one of these products, with or without your permission.

Late yesterday, two security research teams, eEye Digital Security and iDEFENSE, independently reported on separate new buffer overflow vulnerabilities affecting RealPlayer 10 and earlier versions.

The two buffer overflows differ technically. In the flaw iDEFENSE discovered, creating a URL link containing lots of "."s within a Real media file triggers the overflow. The eEye flaw involves a faulty Dynamic Link Library (dll). Creating a specially malformed Real media file delivered with an HTML file allows an attacker to trigger the buffer overflow within the flawed dll (embd3260.dll). Despite their technical differences, the flaws have similar impact. If an attacker can entice one of your users into opening a specially-crafted Real media file, the attacker could run a malicious program on that user's computer. If the user has local administrative privileges, the attacker can totally "own" the user's machine.

Solution Path:
RealNetworks has released updates to correct these vulnerabilities. Clients who use the vulnerable RealPlayer products should update as soon as possible. Here's how:

RealOne Player (v. 1 and 2) and RealPlayer 10 BETA
In RealOne Player, click Tools => Check for Update. You should see a "Security Update - June 2004" component. Check the corresponding box and press the Install button to download and install the update.

RealPlayer 8
You must upgrade to RealPlayer 10. In RealPlayer, click Help => Check for Update. You should see either a "RealPlayer 10" (English, German, or Japanese) or "RealOne Player" (other languages) component. Check the corresponding box and press the Install button to download and install the update. Once finished, follow the directions above to apply the Security Update for RealPlayer 10 as well.

RealPlayer Enterprise
Please contact your RealNetworks Platinum representative or RealNetworks Customer Support for an update.