RealNetworks has issued a fix for a vulnerability identified as a malicious web page which affects the import method of an Active X control to cause a stack overflow in the Realplayer. CVE-2007-5601. This posting is applicable to versions of the product downloaded before October 25th, 2007.

RealPlayer 10.5 and RealPlayer 11 beta users should install the patch per the instructions below to address this security vulnerability that aims to cause buffer overflow that could provide the potential for an attacker to run arbitrary or malicious code on a user’s PC.

RealOne Player, RealOne Player v2 and RealPlayer 10 users should upgrade immediately to RealPlayer 10.5 or RealPlayer 11 beta following the instructions below.

For Windows XP, Windows 2000, Windows 98, Windows ME:

Please click here to install the patch for RealPlayer 10.5 and RealPlayer 11 beta.

Please click here to upgrade your player for RealOne Player and RealPlayer 10.

For Windows Vista:

Please click here to go to download a new player from the web.

Macintosh and Linux versions of RealPlayer are not at risk for this vulnerability. In addition, RealPlayer 8 and earlier versions of RealNetworks software for Windows are not affected. We are committed to providing our customers with timely and comprehensive information about our software. As such, we encourage users to check this site periodically for the latest updates.

Instructions

Windows Players:

If you are on Windows Vista, please click here to go to download a new player from the web.

RealPlayer 10.5 and RealPlayer 11 beta customers can get a patch to correct this issue. Please click here or to update your Player.

RealOne Player (English only), RealOne Player V2 and RealPlayer 10 customers require a full download to correct this issue. Please click here or use the following steps to upgrade your Player:

• In the Tools menu select Check for Update.
• Select the box next to the "RealPlayer 10.5 with Harmony™ Technology" component.
• Click Install to download and install the update.

Details for Potential Vulnerabilities:

The identified vulnerability is a malicious web page which affects the import method of an Active X control to cause a stack overflow in the Realplayer. CVE-2007-5601

Acknowledgements:

RealNetworks would like to acknowledge cert.org as well as those who subsequently worked with RealNetworks to correct the vulnerabilities.

Warranty:

RealNetworks Inc. endeavors to provide you with the highest quality products and services, but cannot guarantee, and does not warrant, that the operation of any RealNetworks product will be error-free, uninterrupted or secure. Please see your original license agreement for details of our limited warranty or warranty disclaimer.