RealNetworks,
Inc. Releases Update to Address Security Vulnerabilities.
Updated
August 26, 2011
Update: One item, CVE-2011-1221, was incorrectly left out of the original disclosure on August 16. This vulnerability is functionally identical to CVE-2011-2947, which was included in the original disclosure. Credit information for CVE-2011-1221 has been added below.
RealNetworks is making available product
upgrades that contain security bug fixes. We have received no reports of any
machines actually being compromised as a result of the now-remedied
vulnerabilities.
RealNetworks always recommends upgrading your
product to the most current version available to avoid security vulnerabilities.
Current
Software
The current
versions of our Player software are not affected by these vulnerabilities.
|
Software |
Affected? |
Operating System |
Language |
|
RealPlayer
14.0.6 |
No |
Windows
XP, Vista, Win7 |
All
Supported |
|
Mac
RealPlayer 12.0.0.1701 |
No |
Mac OS X
10.3 – 10.6 |
All
Supported |
|
RealPlayer
Enterprise 2.1.6 |
No |
Windows XP,
Vista, Win7 |
English |
Affected
Software
The table below
contains a summary of which previous and current versions of the RealPlayer
software are susceptible to these vulnerabilities. The columns and cells in green
are the versions of each product where the issue has been resolved.
|
CVE Number |
RealPlayer |
RealPlayer SP 1.0 – 1.1.5 |
RealPlayer 14.0.0 – 14.0.5 |
RealPlayer 14.0.6 |
|
RealPlayer Enterprise 2.0 – 2.1.5 |
RealPlayer Enterprise 2.1.6 |
|
Mac RealPlayer 12.0.0.1569 |
Mac RealPlayer 12.0.0.1701 |
|
CVE-2011-2945 |
X |
X |
X |
|
|
|
|
|
|
|
|
CVE-2011-2946 |
X |
X |
X |
|
|
X |
|
|
|
|
|
CVE-2011-2947 |
X |
X |
X |
|
|
|
|
|
|
|
|
CVE-2011-2948 |
X |
X |
X |
|
|
X |
|
|
X |
|
|
CVE-2011-2949 |
X |
X |
X |
|
|
X |
|
|
|
|
|
CVE-2011-2950 |
X |
X |
X |
|
|
|
|
|
|
|
|
CVE-2011-2951 |
X |
X |
X |
|
|
|
|
|
X |
|
|
CVE-2011-2952 |
X |
X |
X |
|
|
X |
|
|
|
|
|
CVE-2011-2953
|
X |
X |
X |
|
|
X |
|
|
|
|
|
CVE-2011-2954 |
X |
X |
X |
|
|
|
|
|
|
|
|
CVE-2011-2955
|
X |
X |
X |
|
|
X |
|
|
|
|
|
CVE-2011-1221
|
X |
X |
X |
|
|
X |
|
|
|
|
CVE Descriptions
CVE-2011-2945
RealPlayer SIPR Heap Buffer Overflow Vulnerability
Affected
software: Windows RealPlayer 14.0.5 and prior.
Credit to Omair, iDefense Labs for reporting this issue.
CVE-2011-2946
RealPlayer
ActiveX Remote Code Execution Vulnerability
Affected
software: Windows RealPlayer 14.0.5 and prior.
Credit to
getB33r working with iDefense
Labs for reporting this issue.
CVE-2011-2947
RealPlayer
Cross-Zone Scripting Remote Code Execution Vulnerability
Affected
software: Windows RealPlayer 14.0.5 and prior; RealPlayer Enterprise 2.1.5 and
prior; Mac RealPlayer 12.0.0.1569 and prior.
Credit to
Martin Bartek working with TippingPoint's
Zero Day Initiative
for reporting this issue.
CVE-2011-2948
RealPlayer
SWF DefineFont Remote Code Execution Vulnerability
Affected
software: Windows RealPlayer 14.0.5 and prior; RealPlayer Enterprise 2.1.5 and
prior; Mac RealPlayer 12.0.0.1569 and prior.
Credit to
Luigi Auriemma working with TippingPoint's
Zero Day Initiative
for reporting this issue.
CVE-2011-2949
RealPlayer
MP3 ID3 tags Remote Code Execution Vulnerability
Affected
software: Windows RealPlayer 14.0.5 and prior; RealPlayer Enterprise 2.1.5 and
prior.
Credit to
Sean de Regge working with TippingPoint's
Zero Day Initiative
for reporting this issue.
CVE-2011-2950
RealPlayer
QCP Parsing Remote Code Execution Vulnerability
Affected
software: Windows RealPlayer 14.0.5 and prior.
Credit to
Sean de Regge working with TippingPoint's
Zero Day Initiative
for reporting this issue.
CVE-2011-2951
RealPlayer
Advanced Audio Coding Element Remote Code Execution Vulnerability
Affected
software: Windows RealPlayer 14.0.5 and prior; Mac RealPlayer 12.0.0.1569 and
prior.
Credit to Donato Ferrante and Andrzej Dyjak working
with TippingPoint's
Zero Day Initiative
for reporting this issue.
CVE-2011-2952
RealPlayer Dialog Box Use After Free Vulnerability
Affected
software: Windows RealPlayer 14.0.5 and prior; RealPlayer Enterprise 2.1.5 and
prior.
Credit to Krystian Kloskowski (h07) via Secunia Research for
reporting this issue.
CVE-2011-2953
RealPlayer
ActiveX Browser Plugin Out of Bounds Vulnerability.
Affected
software: Windows RealPlayer 14.0.5 and prior.
Credit to Luigi Auriemma for
reporting this issue.
CVE-2011-2954
RealPlayer
Embedded AutoUpdate Use After Free Vulnerability
Affected
software: Windows RealPlayer 14.0.5 and prior.
Credit to Luigi Auriemma for
reporting this issue.
CVE-2011-2955
RealPlayer
Embedded Modal Dialog Use After Free Vulnerability
Affected
software: Windows RealPlayer 14.0.5 and prior; RealPlayer Enterprise 2.1.5 and
prior.
Credit to Luigi Auriemma for
reporting this issue.
CVE-2011-1221
RealPlayer
Cross-Zone Scripting Remote Code Execution Vulnerability
Affected
software: Windows RealPlayer 14.0.5 and prior.
Credit to
Mark Yason of IBM
X-Force for reporting this issue.
Warranty:
RealNetworks Inc. endeavors to provide you with the highest quality products and
services, but cannot guarantee, and does not warrant, that the operation of any
RealNetworks product will be error-free,
uninterrupted or secure. Please see your original license agreement for details
of our limited warranty or warranty disclaimer.