RealNetworks has patched two highly critical holes in its media player. The bugs could allow an attacker to run malicious code by directing users to a specially-crafted Web page, via an email message for example, according to security experts. RealOne Player, RealOne Player v2, RealPlayer 10, RealPlayer 8, and RealPlayer Enterprise are all affected. The company has released updates fixing the problem for all except RealPlayer 8; the patches are available by using the software's built-in updating mechanism, as described in Real's advisory. RealPlayer 8 users are recommended to upgrade to RealPlayer 10.
"While we have not received reports of anyone actually being attacked with this exploit, all security vulnerabilities are taken very seriously by RealNetworks," the company says in a statement. The first bug, discovered by eEye Digital Security's Karl Lynn, involves a file called embd3260.dll. A problem with the way the file generates error messages means that an attacker could use a malformed movie file embedded in a Web page to execute malicious code on a user's PC. "A heap block is allocated to contain the error message, but because of a flaw in how the buffer size is calculated, an overflow will always happen," eEye says in its advisory.
News source: PCWorld.com
"While we have not received reports of anyone actually being attacked with this exploit, all security vulnerabilities are taken very seriously by RealNetworks," the company says in a statement. The first bug, discovered by eEye Digital Security's Karl Lynn, involves a file called embd3260.dll. A problem with the way the file generates error messages means that an attacker could use a malformed movie file embedded in a Web page to execute malicious code on a user's PC. "A heap block is allocated to contain the error message, but because of a flaw in how the buffer size is calculated, an overflow will always happen," eEye says in its advisory.
News source: PCWorld.com
Hello All,
We are currently looking to recruit trialists, for a trial of a new Internet Browser Toolbar. The trial is scheduled to begin around the end of June and will run until everyone has completed their script.
There are however a couple of requirements you need to be aware of:
*We only require trialists who have Windows 2000 or XP (if you have
anything different please advise)
*We are only looking for 100 trialists mixed across all tiers, so
recruitment will be done on first come basis.
I hope you would like to participate in the trial, and if so, please reply to this mail to advise.
thanks
NTL
It could say "Real patches critical Player flaws."
inquiring minds want to know
Anyway that was just some food for thought.
"It is better to hold one's tongue and be only thought of as a fool than to let one's tongue fly and remove all doubt".
The issue you referred to - the CVS vulnerabilties - just show that OSS products and their "open-ness" and ability for the "community" to submit code have a vulnerability that would allow ANYONE to change source-code in the CVS tree with virtually NO ONE knowing about it.
How secure would a Microsoft product be if someone from the general population were allowed to include code into the source-tree?
I'm amazed at how most OSS-fans just sluff this off, saying "Oh, no one in the 'community' would *ever* do that".
"TRUST NO ONE"
--SK
Usally when there is a security problem in an OSS program, people say that this proves that linux is insecure. I was refering to the comment of the news post just as an example for such comments. My original post was a parody of those post which have a flawed logic.
Now lets have an example so everyone understands:
News: fictional bug in the open source forum phpbb
comment_foo: This proves that linux is insecure, sucks, should go to hell yadda yadda yadda
Now comment_foo comments appear very often so i was just asking if i can apply their "logic" in order to say that a flaw in real's media player proves that windows is insecure because yall know that a flaw in videolan.org media player would prove that linux is insecure wouldnt it?
"How secure would a Microsoft product be if someone from the general population were allowed to include code into the source-tree?" Well if it were public and someone at microsoft would accept the patches it pobably would be.
"I'm amazed at how most OSS-fans just sluff this off, saying "Oh, no one in the 'community' would *ever* do that"." Did not hear anyone say that.
And regarding the CVS bug, it would be quite easy to detect that because usally a developer keeps "their" version at home and would notice if unexpected code had been added to the main cvs server, when he/she "compares" "their" version to the version on the main server.
have a nice day
Going to update my RealPlayer 10 now. Not sure if I would ever be affected by this flaw, but I got nothing else to do right now.
Use Firefox.
You'll have to kill me.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.