RealNetworks, Inc. Releases Update to Address Security Vulnerabilities.

Updated January 19, 2010



RealNetworks is making available product upgrades that contain security bug fixes. We have received no reports of any machines actually being compromised as a result of the now-remedied vulnerabilities.

RealNetworks always recommends upgrading your product to the most current version available to avoid security vulnerabilities.

Affected Software: Please see below for details of potential vulnerabilities.

 

Windows

Software

Affected?

Language

Update Needed?

RealPlayer SP 1.0.2 - 1.0.5

No

All Supported

No

RealPlayer SP 1.0.0 and 1.0.1

By #10

All Supported

Yes

RealPlayer 11 (11.0.5 and higher)

By #10

All Supported

Yes

RealPlayer 11 (11.0.1 - 11.0.4)

By various

All Supported

Yes

RealPlayer 11 (11.0.0)

By various

All Supported

Yes

RealPlayer 10.5 (6.0.12.1675) *

By various

All Supported

Yes

RealPlayer 10.5 (6.0.12.1040-6.0.12.1663, 6.0.12.1698, 6.0.12.1741

By various

All Supported

Yes

RealPlayer 10

By various

All Supported

Yes

RealPlayer Enterprise

By various

EN

Yes

 


Note: To see your Player version number, select Help > About in the RealPlayer menu.


* due to Windows Vista compatibility issues, version numbers are now not sequential for RealPlayer 10.5


Mac

Software

Affected?

Language

Update Needed?

Mac RealPlayer 11.1

No

All Supported

No

Mac RealPlayer 11.0.1

By #10

All Supported

Yes

Mac RealPlayer 11.0

By #2, #6 and #10

All Supported

Yes

Mac RealPlayer 10 and 10.1

By various

All Supported

Yes

 


Note: To see your Player version number (11.x.x.xxx), select About in the RealPlayer menu.


Linux

Software

Affected?

Language

Update Needed?

Linux RealPlayer 11.0.2

No

All Provided

No

Helix Player (11.0.2)

No

All Provided

No

Linux RealPlayer 11.0.1

By #10

All Provided

Yes

Helix Player (11.0.1)

By #10

All Provided

Yes

Linux RealPlayer 11.0.0

By #8 and #10

All Provided

Yes

Helix Player (11.0.0)

By #8 and #10

All Provided

Yes

Linux RealPlayer 10

By various

All Provided

Yes

Helix Player (10.*)

By various

All Provided

Yes

 


Note: To see your Player version number (11.0.0.xxx), select Help > About in the RealPlayer menu.

Instructions

 

Windows Players:

If you are on Windows XP, Vista or Windows 7, please click here to download RealPlayer SP from the web.

If you are on Windows 2000, Windows ME or Windows 98SE, your Operating Systems are no longer supported.

RealPlayer Enterprise Solution:

RealPlayer Enterprise product updates are available on your PAM site. For additional information regarding RealPlayer Enterprise please click here.

RealPlayer for Mac OS X:

RealPlayer 10 for Mac OS X customers need to get the latest player to address this security issue. Please click here to upgrade your RealPlayer 11.

Linux Players:

Please click here to get an updated RealPlayer 11 for Linux.

Details for Potential Vulnerabilities:

  • Vulnerability 1:

The identified vulnerability is a RealPlayer ASM Rulebook heap-based buffer overflow: CVE-2009-4241

 

  • Vulnerability 2:

The identified vulnerability is a RealPlayer GIF file Heap Overflow: CVE-2009-4242

 

  • Vulnerability 3:

The identified vulnerability is a RealPlayer media Overflow (http chunk encoding): CVE-2009-4243

 

  • Vulnerability 4:

The identified vulnerability is a RealPlayer IVR file processing buffer overflow: CVE-2009-0375

 

  • Vulnerability 5:

The identified vulnerability is a RealPlayer IVR file Heap overflow: CVE-2009-0376

 

  • Vulnerability 6:

The identified vulnerability is a RealPlayer SIPR Codec Heap Overflow: CVE-2009-4244

 

  • Vulnerability 7:

The identified vulnerability is a RealPlayer compressed GIF Heap Overflow: CVE-2009-4245

 

  • Vulnerability 8:

The identified vulnerability is a RealPlayer SMIL Parsing Heap Overflow Vulnerability: CVE-2009-4257

 

  • Vulnerability 9:

The identified vulnerability is a RealPlayer Skin Parsing Stack Overflow Vulnerability: CVE-2009-4246

 

  • Vulnerability 10:

The identified vulnerability is a RealPlayer ASM RuleBook Array Overflow: CVE-2009-4247

 

  • Vulnerability 11:

The identified vulnerability is a RealPlayer rtsp set_parameter buffer overflow: CVE-2009-4248


German
English
Spanish
French
Italian
Portuguese
Japanese
Korean
Simplified Chinese
Traditional Chinese


 

Acknowledgements:

RealNetworks would like to acknowledge Evgeny Legerov, anonymous researchers working with iDEFENSE Labs, John Rambo and anonymous researchers working with TippingPoint's Zero Day Initiative, and Fortinet's FortiGuard Labs for bringing these exploits to our attention as well as those who subsequently worked with RealNetworks to correct the vulnerabilities.

Warranty:

RealNetworks Inc. endeavors to provide you with the highest quality products and services, but cannot guarantee, and does not warrant, that the operation of any RealNetworks product will be error-free, uninterrupted or secure. Please see your original license agreement for details of our limited warranty or warranty disclaimer.