September 2012

RealNetworks, Inc. Releases Update to Address Security Vulnerabilities.

Updated September 7, 2012

RealNetworks is making available product upgrades that contain security bug fixes. We have received no reports of any machines actually being compromised as a result of the now-remedied vulnerabilities.

RealNetworks always recommends upgrading your product to the most current version available to avoid security vulnerabilities.   

Current Software
The current versions of our Player software are not affected by these vulnerabilities.

Software	Affected?	Operating System	Language
RealPlayer 15.0.6.14	No	Windows XP, Vista, Win7	All Supported
Mac RealPlayer 12.0.1.1750	No	Mac OS X 10.3 – 10.8	All Supported

Affected Software
The table below contains a summary of which previous and current versions of the RealPlayer software are susceptible to these vulnerabilities. The columns and cells in green are the versions of each product where the issue has been resolved.

CVE Number	RealPlayer 11.0 – 11.1	RealPlayer SP 1.0 – 1.1.5	RealPlayer 14.0.0 – 15.0.2.72	RealPlayer 15.0.3.37 – 15.0.5.109	RealPlayer 15.0.6.14	Mac RealPlayer 12.0.0.1701	Mac RealPlayer 12.0.1.1750
CVE-2011-4253	X	X				X
CVE-2012-0923	X	X	X			X
CVE-2012-0925	X	X	X			X
CVE-2012-0928	X	X	X			X
CVE-2012-2407	X	X	X			X
CVE-2012-2408	X	X	X			X
CVE-2012-2409	X	X	X			X
CVE-2012-2410	X	X	X			X
CVE-2012-3234	X	X	X			X

CVE Descriptions

CVE-2011-4253

RealPlayer RV20 Decoding Remote Code Execution Vulnerability

Affected software: Windows RealPlayer 14.0.7 and prior, Mac RealPlayer 12.0.0.1701 and prior.

Credit to Damian Put and Andrzej Dyjak working with TippingPoint's Zero Day Initiative for reporting this issue.

CVE-2012-0923

RealNetworks RealPlayer RV20 Frame Size Array Remote Code Execution Vulnerability

Affected software: Windows RealPlayer 15.0.1.13 and prior.

Credit to Luigi Auriemma working with TippingPoint's Zero Day Initiative for reporting this issue.

CVE-2012-0925

RealNetworks RealPlayer RV40 Remote Code Execution Vulnerability

Affected software: Windows RealPlayer 15.0.1.13 and prior.

Credit to Dan Rosenberg of Virtual Security Research and Damian Put working with TippingPoint's Zero Day Initiative for reporting this issue.

CVE-2012-0928

RealNetworks RealPlayer Atrac Sample Decoding Remote Code Execution Vulnerability

Affected software: Windows RealPlayer 14.0.7 and prior, Mac RealPlayer 12.0.0.1701 and prior.

Credit to Andrzej Dyjak working with TippingPoint's Zero Day Initiative for reporting this issue.

CVE-2012-2407

RealPlayer - AAC causing buffer overrun during unpacking of stream data

Affected software: Windows RealPlayer 15.0.2.72 and prior, Mac RealPlayer 12.0.0.1701 and prior.

Credit to Andrzej Dyjak for reporting this issue.

CVE-2012-2408

RealPlayer - AAC SDK decoding causes heap corruption

Affected software: Windows RealPlayer 15.0.2.72 and prior, Mac RealPlayer 12.0.0.1701 and prior.

Credit to Andrzej Dyjak for reporting this issue.

CVE-2012-2409

RealPlayer - RealMedia buffer overrun vulnerability 1

Affected software: Windows RealPlayer 15.0.2.72 and prior, Mac RealPlayer 12.0.0.1701 and prior.

Credit to Andrzej Dyjak for reporting this issue.

CVE-2012-2410

RealPlayer - RealMedia buffer overrun vulnerability 2

Affected software: Windows RealPlayer 15.0.2.72 and prior, Mac RealPlayer 12.0.0.1701 and prior.

Credit to Andrzej Dyjak for reporting this issue.

CVE-2012-3234

RealPlayer - RealAudio divide by zero vulnerability in codec frame size

Affected software: Windows RealPlayer 15.0.4.53 and prior, Mac RealPlayer 12.0.0.1701 and prior.

Credit to Senator of Pirates for reporting this issue.

Warranty:

RealNetworks Inc. endeavors to provide you with the highest quality products and services, but cannot guarantee, and does not warrant, that the operation of any RealNetworks product will be error-free, uninterrupted or secure. Please see your original license agreement for details of our limited warranty or warranty disclaimer.