RealNetworks, Inc. Releases Update to Address Security Vulnerabilities.

Updated October 15, 2010


 

RealNetworks is making available product upgrades that contain security bug fixes. We have received no reports of any machines actually being compromised as a result of the now-remedied vulnerabilities.

RealNetworks always recommends upgrading your product to the most current version available to avoid security vulnerabilities. 



 

Current Software
The current versions of our Player software are not affected by these vulnerabilities.

Software

Affected?

Operating System

Language

RealPlayer SP 1.1.5

No

Windows XP, Vista, Win7

All Supported

Mac RealPlayer 12.0.0.1444

No

Mac OS X 10.3 – 10.6

All Supported

RealPlayer Enterprise 2.1.3

No

Windows XP, Vista, Win7

English

Linux RealPlayer 11.0.2.1744

No

Linux

English

 

Affected Software
The table below contains a summary of which previous and current versions of the RealPlayer software are susceptible to these vulnerabilities. The columns and cells in green the versions of each product where the issue has been resolved.

 

CVE Number

RealPlayer
11.0 – 11.1

RealPlayer SP
1.0 – 1.0.1

RealPlayer SP 1.0.2 – 1.1

RealPlayer SP 1.1.1 – 1.1.4

RealPlayer SP
1.1.5

RealPlayer 14.0 Beta

 

RealPlayer Enterprise 2.1.2

RealPlayer Enterprise 2.1.3

 

Mac RealPlayer 11.0 - 12.0

 

Linux RealPlayer 11.0.2.1744

CVE-2010-2998

X

X

 

 

 

 

 

 

 

 

 

 

 

CVE-2010-3747

X

X

X

X

 

 

 

X

 

 

 

 

 

CVE-2010-3750

X

X

X

X

 

 

 

X

 

 

 

 

 

CVE-2010-2578

X

X

X

X

 

 

 

X

 

 

 

 

 

CVE-2010-3751

X

X

X

X

 

 

 

 

 

 

 

 

 

CVE-2010-3748

X

X

X

X

 

 

 

X

 

 

 

 

 

CVE-2010-3749

X

X

X

 

 

 

 

 

 

 

 

 

 

 

 

 

CVE Descriptions

 

CVE-2010-2998

RealPlayer Malformed IVR Pointer Index Code Execution Vulnerability

Affected software: Windows RealPlayer SP 1.0.1 and prior.

Credit to anonymous researchers working with TippingPoint's Zero Day Initiative for reporting this issue.

 

CVE-2010-3747          

RealPlayer ActiveX Control CDDA URI Uninitialized Pointer Vulnerability

Affected software: Windows RealPlayer SP 1.1.4 and prior; RealPlayer Enterprise 2.1.2 and prior.

Credit to CHkr_D591, working with TippingPoint's Zero Day Initiative for reporting this issue.

 

CVE-2010-3750

RealPlayer RJMDSections Remote Code Execution Vulnerability

Affected software: Windows RealPlayer SP 1.1.4 and prior; RealPlayer Enterprise 2.1.2 and prior.

Credit to Sebastian Apelt (www.siberas.de),working with TippingPoint's Zero Day Initiative for reporting this issue.

 

CVE-2010-2578

RealPlayer QCP parsing heap-based buffer overflow vulnerability.

Affected software: Windows RealPlayer SP 1.1.4 and prior; RealPlayer Enterprise 2.1.2 and prior.

Credit to Carsten H. Eiram, Secunia Research for reporting this issue.

 

CVE-2010-3751  

RealPlayer ActiveX Control Multiple Protocol Handlers Remote Code Execution Vulnerability

Affected software: Windows RealPlayer SP 1.1.4 and prior.

Credit to anonymous researchers working with TippingPoint's Zero Day Initiative for reporting this issue.

 

CVE-2010-3748

RealPlayer RichFX Component Stack Overflow Vulnerability

Affected software: Windows RealPlayer SP 1.1.4 and prior; RealPlayer Enterprise 2.1.2 and prior.

Credit to Steve Manzuik of Microsoft Vulnerability Research (MSVR) for reporting this issue.

 

CVE-2010-3749  

RealPlayer Browser Extension RecordClip Parameter Injection Vulnerability

Affected software: Windows RealPlayer SP 1.1 and prior.

Credit to Sean de Regge working with TippingPoint's Zero Day Initiative for reporting this issue.

 

 

Alemán
Inglés
Español
Francés
Italiano
Portugués
Japonés
Coreano
Chino simplificado
Chino tradicional

 

Warranty:

RealNetworks Inc. endeavors to provide you with the highest quality products and services, but cannot guarantee, and does not warrant, that the operation of any RealNetworks product will be error-free, uninterrupted or secure. Please see your original license agreement for details of our limited warranty or warranty disclaimer.