U.S. Flag Official website of the Department of Homeland Security

Note: This page is part of the us-cert.gov archive.This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

TLP:WHITE

Alert (SA07-297A)

RealNetworks RealPlayer ActiveX Playlist Buffer Overflow

Original release date: October 24, 2007

Systems Affected

  • RealOne Player
  • RealOne Player v2
  • RealPlayer 10
  • RealPlayer 10.5
  • RealPlayer 11 beta

Overview

RealNetworks RealPlayer for Microsoft Windows contains a vulnerability that could allow an attacker to take control of your computer when you visit a malicious web site.


Solution

Upgrade and install a patch

RealNetworks has released a patch to address this vulnerability. Information about the vulnerability and the patch is available in RealPlayer Security Vulnerability and Security Update for Real Player.

  • RealPlayer 10.5 and RealPlayer 11 beta users should install the patch.
  • RealOne Player v2, and RealPlayer 10 users should upgrade to RealPlayer 10.5 or RealPlayer 11 beta and then install the patch.
Windows versions of RealPlayer 8 and earlier are not affected. Mactintosh and Linux versions of RealPlayer are not affected.

Disable ActiveX for untrusted web sites

Disabling ActiveX in the Internet Zone (or any zone used by an attacker) reduces the chances of exploitation of this and other vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document.

There are public reports that this vulnerability is being actively exploited.

Description

A buffer overflow in the way RealPlayer handles playlists received from an ActiveX control on a web page could allow an attacker to access your computer, install and run malicious software on your computer, or cause it to crash.

More technical information is available in US-CERT Technical Cyber Security Alert TA07-297A and Vulnerability Note VU#871673.


References

  • RealNetworks RealPlayer Security Update - http://service.real.com/realplayer/security/191007_player/en/>
  • Security Update for RealPlayer - http://docs.real.com/docs/security/SecurityUpdate101907Player.pdf>
  • US-CERT Technical Cyber Security Alert TA07-297A - <http://www.us-cert.gov/cas/techalerts/TA07-297A.html>
  • US-CERT Vulnerability Note VU#871673 - http://www.kb.cert.org/vuls/id/871673>
  • Securing Your Web Browser - http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer>

.

Revision History

  • October 24, 2007: Initial release

This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top