RealNetworks, Inc. Releases Update to Address Security
Vulnerabilities.
Updated October 15, 2010
RealNetworks
is making available product upgrades that contain security bug fixes. We have
received no reports of any machines actually being compromised as a result of
the now-remedied vulnerabilities.
RealNetworks
always recommends upgrading your product to the most current version available
to avoid security vulnerabilities.
Current
Software
The current versions of our Player software are not affected by
these vulnerabilities.
|
Software |
Affected? |
Operating System |
Language |
|
RealPlayer
SP 1.1.5 |
No |
Windows
XP, Vista, Win7 |
All
Supported |
|
Mac
RealPlayer 12.0.0.1444 |
No |
Mac OS X
10.3 – 10.6 |
All
Supported |
|
RealPlayer
Enterprise 2.1.3 |
No |
Windows
XP, Vista, Win7 |
English |
|
Linux
RealPlayer 11.0.2.1744 |
No |
Linux |
English |
Affected
Software
The table below contains a summary of which previous and
current versions of the RealPlayer software are susceptible to these
vulnerabilities. The columns and cells in green the versions of each product
where the issue has been resolved.
|
CVE Number |
RealPlayer |
RealPlayer SP |
RealPlayer SP 1.0.2 – 1.1 |
RealPlayer SP 1.1.1 – 1.1.4 |
RealPlayer SP |
RealPlayer 14.0 Beta |
|
RealPlayer Enterprise 2.1.2 |
RealPlayer Enterprise 2.1.3 |
|
Mac RealPlayer 11.0 - 12.0 |
|
Linux RealPlayer 11.0.2.1744 |
|
CVE-2010-2998 |
X |
X |
|
|
|
|
|
|
|
|
|
|
|
|
CVE-2010-3747 |
X |
X |
X |
X |
|
|
|
X |
|
|
|
|
|
|
CVE-2010-3750 |
X |
X |
X |
X |
|
|
|
X |
|
|
|
|
|
|
CVE-2010-2578 |
X |
X |
X |
X |
|
|
|
X |
|
|
|
|
|
|
CVE-2010-3751 |
X |
X |
X |
X |
|
|
|
|
|
|
|
|
|
|
CVE-2010-3748
|
X |
X |
X |
X |
|
|
|
X |
|
|
|
|
|
|
CVE-2010-3749 |
X |
X |
X |
|
|
|
|
|
|
|
|
|
|
CVE Descriptions
CVE-2010-2998
RealPlayer Malformed IVR Pointer Index Code Execution
Vulnerability
Affected
software: Windows RealPlayer SP 1.0.1 and prior.
Credit to anonymous
researchers working with TippingPoint's Zero Day Initiative for reporting this
issue.
CVE-2010-3747
RealPlayer ActiveX Control CDDA URI Uninitialized Pointer
Vulnerability
Affected
software: Windows RealPlayer SP 1.1.4 and prior; RealPlayer Enterprise 2.1.2
and prior.
Credit to
CHkr_D591, working with TippingPoint's Zero Day Initiative
for reporting this issue.
CVE-2010-3750
RealPlayer RJMDSections Remote Code
Execution Vulnerability
Affected
software: Windows RealPlayer SP 1.1.4 and prior; RealPlayer Enterprise 2.1.2
and prior.
Credit to
Sebastian Apelt (www.siberas.de),working
with TippingPoint's Zero Day Initiative for reporting this
issue.
CVE-2010-2578
RealPlayer QCP parsing heap-based buffer overflow
vulnerability.
Affected
software: Windows RealPlayer SP 1.1.4 and prior; RealPlayer Enterprise 2.1.2
and prior.
Credit to Carsten H. Eiram, Secunia Research for
reporting this issue.
CVE-2010-3751
RealPlayer ActiveX Control Multiple Protocol Handlers Remote
Code Execution Vulnerability
Affected
software: Windows RealPlayer SP 1.1.4 and prior.
Credit to anonymous
researchers working with TippingPoint's Zero Day Initiative for reporting this
issue.
CVE-2010-3748
RealPlayer RichFX Component Stack
Overflow Vulnerability
Affected
software: Windows RealPlayer SP 1.1.4 and prior; RealPlayer Enterprise 2.1.2
and prior.
Credit to Steve
Manzuik of Microsoft Vulnerability Research (MSVR) for reporting this issue.
CVE-2010-3749
RealPlayer Browser Extension RecordClip Parameter
Injection Vulnerability
Affected
software: Windows RealPlayer SP 1.1 and prior.
Credit to
Sean de Regge working with TippingPoint's Zero Day Initiative for reporting this
issue.
Warranty:
RealNetworks
Inc. endeavors to provide you with the highest quality products and services,
but cannot guarantee, and does not warrant, that the operation of any RealNetworks product will be error-free, uninterrupted or
secure. Please see your original license agreement for details of our limited
warranty or warranty disclaimer.