RealNetworks, Inc. Releases Update to Address Security Vulnerabilities.

Updated August 26, 2011

 

Update: One item, CVE-2011-1221, was incorrectly left out of the original disclosure on August 16. This vulnerability is functionally identical to CVE-2011-2947, which was included in the original disclosure. Credit information for CVE-2011-1221 has been added below.

 

RealNetworks is making available product upgrades that contain security bug fixes. We have received no reports of any machines actually being compromised as a result of the now-remedied vulnerabilities.

 

RealNetworks always recommends upgrading your product to the most current version available to avoid security vulnerabilities.

 

Current Software
The current versions of our Player software are not affected by these vulnerabilities.

Software

Affected?

Operating System

Language

RealPlayer 14.0.6

No

Windows XP, Vista, Win7

All Supported

Mac RealPlayer 12.0.0.1701

No

Mac OS X 10.3 – 10.6

All Supported

RealPlayer Enterprise 2.1.6

No

Windows XP, Vista, Win7

English

 

Affected Software
The table below contains a summary of which previous and current versions of the RealPlayer software are susceptible to these vulnerabilities. The columns and cells in green are the versions of each product where the issue has been resolved.

 

CVE Number

RealPlayer
11.0 – 11.1

RealPlayer SP 1.0 – 1.1.5

RealPlayer 14.0.0 – 14.0.5

RealPlayer 14.0.6

 

RealPlayer Enterprise 2.0 – 2.1.5

RealPlayer Enterprise 2.1.6

 

Mac RealPlayer 12.0.0.1569

Mac RealPlayer 12.0.0.1701

CVE-2011-2945

X

X

X

 

 

 

 

 

 

 

CVE-2011-2946

X

X

X

 

 

X

 

 

 

 

CVE-2011-2947

X

X

X

 

 

 

 

 

 

 

CVE-2011-2948

X

X

X

 

 

X

 

 

X

 

CVE-2011-2949

X

X

X

 

 

X

 

 

 

 

CVE-2011-2950

X

X

X

 

 

 

 

 

 

 

CVE-2011-2951

X

X

X

 

 

 

 

 

X

 

CVE-2011-2952

X

X

X

 

 

X

 

 

 

 

CVE-2011-2953

X

X

X

 

 

X

 

 

 

 

CVE-2011-2954

X

X

X

 

 

 

 

 

 

 

CVE-2011-2955

X

X

X

 

 

X

 

 

 

 

CVE-2011-1221

X

X

X

 

 

X

 

 

 

 

 

 

CVE Descriptions

 

CVE-2011-2945

RealPlayer SIPR Heap Buffer Overflow Vulnerability

Affected software: Windows RealPlayer 14.0.5 and prior.

Credit to Omair, iDefense Labs  for reporting this issue.

 

CVE-2011-2946

RealPlayer ActiveX Remote Code Execution Vulnerability

Affected software: Windows RealPlayer 14.0.5 and prior.

Credit to getB33r working with iDefense Labs  for reporting this issue.

 

CVE-2011-2947

RealPlayer Cross-Zone Scripting Remote Code Execution Vulnerability

Affected software: Windows RealPlayer 14.0.5 and prior; RealPlayer Enterprise 2.1.5 and prior; Mac RealPlayer 12.0.0.1569 and prior.

Credit to Martin Bartek working with TippingPoint's Zero Day Initiative for reporting this issue.

 

CVE-2011-2948

RealPlayer SWF DefineFont Remote Code Execution Vulnerability

Affected software: Windows RealPlayer 14.0.5 and prior; RealPlayer Enterprise 2.1.5 and prior; Mac RealPlayer 12.0.0.1569 and prior.

Credit to Luigi Auriemma working with TippingPoint's Zero Day Initiative for reporting this issue.

 

CVE-2011-2949

RealPlayer MP3 ID3 tags Remote Code Execution Vulnerability

Affected software: Windows RealPlayer 14.0.5 and prior; RealPlayer Enterprise 2.1.5 and prior.

Credit to Sean de Regge working with TippingPoint's Zero Day Initiative for reporting this issue.

 

CVE-2011-2950

RealPlayer QCP Parsing Remote Code Execution Vulnerability

Affected software: Windows RealPlayer 14.0.5 and prior.

Credit to Sean de Regge working with TippingPoint's Zero Day Initiative for reporting this issue.

 

CVE-2011-2951

RealPlayer Advanced Audio Coding Element Remote Code Execution Vulnerability

Affected software: Windows RealPlayer 14.0.5 and prior; Mac RealPlayer 12.0.0.1569 and prior.

Credit to Donato Ferrante and Andrzej Dyjak working with TippingPoint's Zero Day Initiative for reporting this issue.

 

CVE-2011-2952

RealPlayer Dialog Box Use After Free Vulnerability

Affected software: Windows RealPlayer 14.0.5 and prior; RealPlayer Enterprise 2.1.5 and prior.

Credit to Krystian Kloskowski (h07) via Secunia Research for reporting this issue.

 

CVE-2011-2953

RealPlayer ActiveX Browser Plugin Out of Bounds Vulnerability.

Affected software: Windows RealPlayer 14.0.5 and prior.

Credit to Luigi Auriemma for reporting this issue.

 

CVE-2011-2954

RealPlayer Embedded AutoUpdate Use After Free Vulnerability

Affected software: Windows RealPlayer 14.0.5 and prior.

Credit to Luigi Auriemma for reporting this issue.

 

CVE-2011-2955

RealPlayer Embedded Modal Dialog Use After Free Vulnerability

Affected software: Windows RealPlayer 14.0.5 and prior; RealPlayer Enterprise 2.1.5 and prior.

Credit to Luigi Auriemma for reporting this issue.

 

CVE-2011-1221

RealPlayer Cross-Zone Scripting Remote Code Execution Vulnerability

Affected software: Windows RealPlayer 14.0.5 and prior.

Credit to Mark Yason of IBM X-Force for reporting this issue.

 

Warranty:

RealNetworks Inc. endeavors to provide you with the highest quality products and services, but cannot guarantee, and does not warrant, that the operation of any RealNetworks product will be error-free, uninterrupted or secure. Please see your original license agreement for details of our limited warranty or warranty disclaimer.