Potential Server Exploit Vulnerability
Updated October 7, 2004
Helix Universal Server 9 contains a potential root exploit when certain types of HTTP POST messages are sent to the server. Helix Mobile Server and Gateway 10 is also vulnerable to this type of exploit. By utilizing this vulnerability, an attacker could potentially disable the server. Note that RealNetworks knows of no systems that have been compromised due to this vulnerability.
Impacted Products and Versions:
* Helix Universal Mobile Server & Gateway, versions 10.3.1.716 and prior
* Helix Universal Server, version 188.8.131.528 and prior
Customers are encouraged to upgrade their Server software to the latest version, which contains a security patch. RealNetworks has released binaries that guard against the vulnerability above.
Helix Server customers are encouraged to upgrade to the latest version of the Helix Universal Server. This will require reinstallation of the software, however, all existing configuration settings (rmserver.cfg file) will function without modification with this new build. (see notes below). Any previously provided and current (non-expired) 9.0.x product license will enable this upgrade.
To preserve the Helix configuration file: The rmserver.cfg file will be renamed "rmserver.cfg.bak" by the installer, and a new rmserver.cfg file will be installed. In order to maintain your previous Helix Server configurations, you should rename or discard the newly installed "rmserver.cfg" file, and rename "rmserver.cfg.bak" to "rmserver.cfg". Execute or restart the Helix Server to read this configuration information.
The following platforms are supported with this release:
Helix Universal Server 9.04 (184.108.40.2060):
Helix Mobile Universal Server and Gateway 10.04.1226:
Helix Mobile Universal Server customers can obtain this build from their PAM site: http://service.real.com/pam/
RealNetworks thanks iDefense (http://www.iDefense.com) for assistance with this issue.
While RealNetworks endeavors to provide you with the highest quality products and services, we cannot guarantee and do not warrant that the operation of any RealNetworks product will be error-free, uninterrupted or secure. See your original license agreement for details of our limited warranty or warranty disclaimer.