Customer Support - RealOne Security Updates

	Customer Support Home
RealPlayer
Premium Subscriptions
Music Store
Rhapsody
RealArcade
Business Products

	My Account

RealPlayer View Clip Source Vulnerability

On March 4th, 2002, a security exploit affecting RealPlayer was brought to the attention of RealNetworks. The specific exploit, involves the View Clip Source feature of RealPlayer on multi-user systems.

We have not yet received reports of anyone actually being attacked with this exploit. However, RealNetworks has found and fixed the problem.

The vulnerability exists in multi-user systems, when the View Clip Source capability on a local file is accessed and the user subsequently leaves the RealPlayer running. In these circumstances, another user on the same system could potentially connect to the running player and use View Clip Source to gain read-access to files in which RealPlayer has been authorized to play back.

This vulnerability has been fixed. Currently, content in the RealPlayer file format that has been played and viewed in an active RealPlayer session will be allowed to be viewed again by another user.

Affected Software:

The following versions of the RealOne Player and RealPlayer are affected:
Windows

RealOne Player

RealPlayer 8

RealPlayer Intranet 8

Macintosh

RealPlayer 8

UNIX

RealOne Player Alpha for Linux 2.2

RealPlayer 8 for UNIX

Workaround:

We have not yet received reports of anyone actually being attacked with this exploit. To ensure that your RealPlayer is protected, we recommend installing the updates available.

RealOne Player for Windows

To download the View Source Plug-in Update, go to Tools, Check for update. Select the box next to View Source Plug-in Update and click the Install button below to download and install the update.

RealPlayer 8 for Windows and Macintosh

To download the View Source Plug-in Update, go to Help...Check for update. Select the box next to View Source Plug-in Update and click the button below to download and install the update.

RealPlayer 7 and RealPlayer G2 for Windows and Macintosh

This update is not available for these versions. Please download RealOne Player or RealPlayer 8 from www.real.com

RealPlayer Intranet

If you are running RealPlayer Intranet versions 8, download and deploy the library available below. To deploy the file, copy it to the \Program Files\Common Files\Real\Plugins directory.
Vrsc3260.dll

If you are going to create new versions of RealPlayer Intranet, please use the following directions.

Download vrsc3260.dll from the link above.

Place vrsc3260.dll into the C:\Program Files\Real\RealPlayer Intranet Administrator\IntranetPlayer\win32\Plins directory. Overwrite the version that was previously there.

Start the RealPlayer Intranet Administrator administration pages.

Generate a new version of your players. The newly generated version of the player will now include the updated .dll.

RealPlayer for UNIX

If you are running RealPlayer for UNIX version 8 or RealOne Player Alpha for Linux, download the appropriate library available below. To use the update, the file "vrscplin.so.6.0" should be copied to your ~/RealPlayer8/Plugins directory, or the Plugins sub-directory wherever you chose to install RealPlayer.

RealOne Player Alpha for Linux 2.2 (libc6 i386)

RealPlayer 8 for Linux 2.2 (libc6 i386)

Unfortunately, we are not able to provide updates for all Players available on unsupported platforms at this time.

If you are running RealPlayer 7 or earlier on UNIX, please update to either RealPlayer 8 or RealOne Player and download the libraries above.

Acknowledgement:

This vulnerability was found by exe@flashmail.com on bugtraq@securityfocus.com.

Warranty:

While RealNetworks endeavors to provide you with the highest quality products and services, we cannot guarantee and do not warrant that the operation of any RealNetworks product will be error-free, uninterrupted or secure. See your original license agreement for details of our limited warranty or warranty disclaimer.