Updated March 22, 2006
RealNetworks, Inc. has addressed recently discovered security vulnerabilities that offered the potential for an attacker to run
arbitrary or malicious code on a customer’s machine. RealNetworks has received no reports of machines compromised as a result of
the now-remedied vulnerabilities. RealNetworks takes all security vulnerabilities very seriously.
The specific exploits were:
- Exploit 1: To execute a program on the local machine that was placed in the path of RealPlayer by a previous separate attack. CAN-2005-2936
- Exploit 2: To fashion a malicious swf file (flash media) which could cause a buffer overrun on a customer's machine. CVE-2006-0323
- Exploit 3: To house a specially crafted web page on a malicious server which could cause a heap overflow in the embedded player. CAN-2005-2922
- Exploit 4: To fashion a malicious mbc file (mimio boardcast) which could cause a buffer overrun on a customer's machine.
Impacted Products and Versions:
This affects versions 1.1, 1.2, 1.5, 1.6 and 1.7 of RealPlayer Enterprise (standalone and
as configured by the RealPlayer Enterprise Manager).
To ensure that your Player is protected, we recommend installing the available update.
RealPlayer Enterprise Solution:
Please click here to get the updated RealPlayer Enterprise.
Your PAM site will contain a complete / updated copy of RPE.
RealNetworks would like to acknowledge John Heasman of NGS Software, Greg MacManus with iDEFENSE Labs, and Sowhat for bringing these
exploits to our attention as well as those who subsequently worked with RealNetworks to correct the vulnerabilities.
RealNetworks Inc. endeavors to provide you with the highest quality products and services, but cannot guarantee, and does not
warrant, that the operation of any RealNetworks product will be error-free, uninterrupted or secure. Please see your original license
agreement for details of our limited warranty or warranty disclaimer.