Real Customer Supportbypass navigation Customer Support

RealNetworks, Inc. Releases Update to Address Security Vulnerabilities.

Updated August 14, 2008

RealNetworks is making available product upgrades that contain security bug fixes.

RealNetworks is updating the RealPlayer 11 build (11.0.3) announced on July 25th to include components for localized versions of the release that were not included in the original update.  The new build, known as RealPlayer 11.0.3a, should be installed for any non-U.S. English versions of RealPlayer 11.

RealPlayer 11.0.3 of the U.S. language version did address all security bug fixes as intended from the July 25th post.

RealNetworks recommends that if you have installed a product version listed in the table below, you upgrade your product to the current version of the product.

 

Affected Software: (Please see below for details of potential vulnerabilities).

Windows

Software

Affected?

Language

Update Needed?

RealPlayer 11 (Version11.0.3 build 6.0.14.806 for US-EN and version 11.0.3a for all others)

No

All Supported

No

RealPlayer 11 (11.0.0 - 11.0.2  builds 6.0.14.738 - 6.0.14.802

By #1

All Supported

Yes

RealPlayer 10.5 (6.0.12.1675) *

No

All Supported

No

RealPlayer 10.5 (6.0.12.1040-6.0.12.1663, 6.0.12.1698, 6.0.12.1741

By all

All Supported

Yes

RealPlayer 10

By all

All Supported

Yes

 


Note: To see your Player version number (6.0.x.xxxx), select Help > About in the RealPlayer menu.


* due to Windows Vista compatibility issues, version numbers are now not sequential for RealPlayer 10.5

 

Software

Affected?

Language

Update Needed?

Rhapsody 4

No

All Supported

No

 


Note: To see your Rhapsody version number (build 0.xxx), select Help > About in the Rhapsody menu.


Mac

Software

Affected?

Language

Update Needed?

Mac RealPlayer 11

No

All Supported

No

Mac RealPlayer 10.1 (10.0.0.396 - 10.0.0.503)

By #3

All Supported

Yes

Mac RealPlayer 10 (10.0.0.305 - 352)

By #3

All Supported

Yes

 


Note: To see your Player version number (10.0.0.xxx), select About in the RealPlayer menu.


Linux

Software

Affected?

Language

Update Needed?

Linux RealPlayer 11

No

All Provided

No

Helix Player (11.*)

No

All Provided

No

Linux RealPlayer 10

By #3

All Provided

Yes

Helix Player (10.*)

No

All Provided

No

 


Note: To see your Player version number (10.0.0.xxx), select Help > About in the RealPlayer menu.


Handheld Devices

Software

Affected?

Language

Update Needed?

Nokia Series60 Handsets

No

English

No

RealPlayer for Palm

No

English

No

RealOne Player for Palm

No

English

No

Instructions

 

Windows Players:

If you are on Windows XP orVista, please click here to download RealPlayer 11 from the web.

If you are on Windows 2000, Windows ME or Windows 98SE, you may get the security updates in the most recent version of RealPlayer 10.5 by following the instructions below.

RealOne Player (English only), RealOne Player V2, RealPlayer 10 and RealPlayer 10.5 customers require a full download to correct this issue. Please use the following steps to upgrade your Player:

1.      In the Tools menu select Check for Update.

2.      Select the box next to the "RealPlayer 10.5 with Harmony™ Technology" component.

Click Install to download and install the update

RealPlayer 8 (version 6.0.9.584) customers please use the following steps to upgrade your Player:

1.      Go the Help menu.

2.      Select Check for Update.

3.      Select the box next to the "RealPlayer 10.5 with Harmony™ Technology" component.

4.      Click Install to download and install the update.

 

RealPlayer for Mac OS X:

RealPlayer 10 for Mac OS X customers need to get the latest player to address this security issue. Please click here to upgrade your RealPlayer 11.

Linux Players:

Please click here to get an updated RealPlayer 11 for Linux.

Details for Potential Vulnerabilities:

  • Vulnerability 1:

The identified vulnerability is a RealPlayer ActiveX controls property heap memory corruption. CVE-2008-1309

 

  • Vulnerability 2:

The identified vulnerability is a Local resource reference vulnerability in RealPlayer. CVE-2008-3064

 

  • Vulnerability 3:

The identified vulnerability is a RealPlayer SWF file heap-based buffer overflow. CVE-2007-5400

 

  • Vulnerability 4:

The identified vulnerability is a RealPlayer ActiveX import method buffer overflow. CVE-2008-3066


German
English
Spanish
French
Italian
Portuguese
Japanese
Korean
Simplified Chinese
Traditional Chinese


 

Acknowledgements:

RealNetworks would like to acknowledge Dyon Balding, Elazar Broad, CERT/CC, Haifei Li and Peter Vreugdenhil working with TippingPoint for bringing these exploits to our attention as well as those who subsequently worked with RealNetworks to correct the vulnerabilities.

Warranty:

RealNetworks Inc. endeavors to provide you with the highest quality products and services, but cannot guarantee, and does not warrant, that the operation of any RealNetworks product will be error-free, uninterrupted or secure. Please see your original license agreement for details of our limited warranty or warranty disclaimer.