Language Selection

English French German Italian Portuguese Spanish

RealPlayer Flaws Trigger PC Hijack Alert

Filed under
Security

Digital-media delivery company RealNetworks on Thursday rolled out patches for four high-risk vulnerabilities in its flagship RealPlayer software, warning that the flaws put millions of users at risk of PC hijack attacks.

The Seattle, Wash.-based RealNetworks Inc. said the flaws can be exploited by remote attackers to execute arbitrary commands with the privileges of the logged-in user.

he company issued a high-risk alert and confirmed that all four flaws affect RealPlayer 10 and 10.5, RealOne Player versions 1 and 2 and RealPlayer 8.

RealPlayer Enterprise, the configurable version of RealPlayer designed for enterprise deployments, the Rhapsody 3 music service and the open-source Linux and Helix versions are also affected, the company warned.

The most serious of the four flaws could allow an attacker to create a malicious MP3 file to allow the overwriting of a local file or execution of an ActiveX control on a vulnerable machine.

RealNetworks said a malicious RealMedia file that used RealText could also be used as an attack mechanism to cause a heap overflow. This could allow an attacker to execute arbitrary code on a target machine.

A third vulnerability was described as buffer-overflow error in the "vidplin.dll" file that does not properly handle specially crafted AVI files. This could be exploited via malicious Web sites to execute arbitrary commands with the privileges of the logged-in user, RealNetworks said.

The company said a fourth vulnerability could be combined with default settings of earlier Internet Explorer browsers and exploited by a malicious Web site to create a local HTML file and then trigger an RM file to play which would then reference the local HTML file.

Full Story.

More in Tux Machines

Why we use open source - Australia’s Immigration agency explains

Why choose open source? “In some ways, [the open source software used by the agency] is effectively more capable” than commercial products, he said. “In terms of cost-effectiveness, [it] wins hands down: no license/maintenance fees, extensible architecture [and] global open source R&D.” The team uses an open source software package called ‘R’. Read more

Emacs & the obsessive email mongerer

I had already mentioned in passing here that I am using Emacs for a variety of tasks: outline, project management and planning with Org-Mode, IRC (go figure, my default email client on all my machines is Emacs’ ERC), notes editing or quick scribbling with the Scartch buffer (happens to me all day long), and regularly, albeit less frequently than in 2013, various editing of html pages, javascript and sometimes even Python when I dare to edit one or two things in Python scripts. A consequence of all these use cases is that I have Emacs open almost everyday on almost any of my machines. Read more

MIPS tempts hackers with Raspbery Pi-like dev board

Hard to choose between Raspberry Pi, BeagleBone Black, and MinnowBoard Max? Now there’s another choice: the open source MIPS-based “Creator CI20″ dev board. In a bid to harness some of the energy and enthusiasm swirling around today’s open, hackable single board computers Imagination Technologies, licensor of the MIPS ISA, has unveiled the ISA’s counter to ARM’s popular Raspberry Pi and BeagleBone Black SBCs. These days, every processor vendor simply must have a community supported dev board in order to engage with the developer communities. (Incidentally, Intel’s is the MinnowBoard Max and AMD’s is the Gizmo.) Read more

Samsung announces the Gear S while LG officially unveils the G Watch R

Samsung announced yet another smartwatch, Samsung Gear S that runs Tizen and comes with a 3G wireless radio. I have seen some call this the Gear Note because it does have a long two inch curved Super AMOLED display. The Gear S has WiFi, Bluetooth, and 3G radios and antennas inside so you can use the watch when your phone isn't handy. Turn-by-turn pedestrian navigation is powered by HERE. It has an integrated GPS chip and can be used for exercise, again without a phone connection. Read more