Language Selection

English French German Italian Portuguese Spanish

RealPlayer Flaws Trigger PC Hijack Alert

Filed under
Security

Digital-media delivery company RealNetworks on Thursday rolled out patches for four high-risk vulnerabilities in its flagship RealPlayer software, warning that the flaws put millions of users at risk of PC hijack attacks.

The Seattle, Wash.-based RealNetworks Inc. said the flaws can be exploited by remote attackers to execute arbitrary commands with the privileges of the logged-in user.

he company issued a high-risk alert and confirmed that all four flaws affect RealPlayer 10 and 10.5, RealOne Player versions 1 and 2 and RealPlayer 8.

RealPlayer Enterprise, the configurable version of RealPlayer designed for enterprise deployments, the Rhapsody 3 music service and the open-source Linux and Helix versions are also affected, the company warned.

The most serious of the four flaws could allow an attacker to create a malicious MP3 file to allow the overwriting of a local file or execution of an ActiveX control on a vulnerable machine.

RealNetworks said a malicious RealMedia file that used RealText could also be used as an attack mechanism to cause a heap overflow. This could allow an attacker to execute arbitrary code on a target machine.

A third vulnerability was described as buffer-overflow error in the "vidplin.dll" file that does not properly handle specially crafted AVI files. This could be exploited via malicious Web sites to execute arbitrary commands with the privileges of the logged-in user, RealNetworks said.

The company said a fourth vulnerability could be combined with default settings of earlier Internet Explorer browsers and exploited by a malicious Web site to create a local HTML file and then trigger an RM file to play which would then reference the local HTML file.

Full Story.

More in Tux Machines

In wake of Anonabox, more crowdsourced Tor router projects make their pitch

Last week, Ars reported on the story of Anonabox, an effort by a California developer to create an affordable privacy-protecting device based on the open source OpenWRT wireless router software and the Tor Project’s eponymous Internet traffic encryption and anonymization software. Anonabox was pulled from Kickstarter after accusations that the project misrepresented its product and failed to meet some basic security concerns—though its developers still plan to release their project for sale through their own website. But Anonabox’s brief campaign on Kickstarter has demonstrated demand for a simple, inexpensive way to hide Internet traffic from prying eyes. And there are a number of other projects attempting to do what Anonabox promised. On Kickstarter competitor Indiegogo there’s a project called Invizbox that looks almost identical to Anonabox—except for the approach its team is taking to building and marketing the device. Read more

Debian Now Defaults To Xfce On Non-x86 Desktops

Back in September Debian switched back to the GNOME desktop by default in place of Xfce for the upcoming Debian 8.0 "Jessie" release. However, as of today, the non-x86 versions of Debian have flip-flopped once again back to Xfce. Debian switched back to GNOME in September over reasons dealing with accessibility, systemd integration, and other factors when seeing what was the best fit to be the default for Debian 8 Jessie. However, now for platforms aside from x86 and x86_64, Xfce has returned to the default over poor experiences in using the GNOME Shell. Read more

Phoenix Is Trying To Be An Open Version Of Apple's Swift

Apple unveiled the Swift programming language at this year's WWDC event but sadly it's still not clear whether Apple will "open up" the language to let it appear on non-Apple platforms. Swift is built atop LLVM and designed to be Apple's successor to Objective-C in many regards while suppoorting C/Obj-C/Obj-C++ all within a single program. With non-Apple folks being interested in the language, it didn't take long before an open-source project started up around it. Ind.ie has today announced their Phoenix project that aims to be a free and open version of Apple's Swift programming language. The work is being led by Greg Casamento who is also the leader of GNUStep, the common open-source implementation of Apple's Cocoa frameworks. Read more

Google Chromebook quietly takes aim at the enterprise

Google's Chromebook is a cheap alternative to a more expensive Windows or Mac PC or laptop, but up until recently it lacked any specific administrative oversight tools for enterprise IT. While IT might have liked the price tag, they may have worried about the lack of an integrated tool suite for managing a fleet of Chromebooks. That's changed with release of Chromebook for Work, a new program designed to give IT that control they crave for Chromebooks. Read more