High Risk Vulnerability in RealPlayer for Windows

From: NGSSoftware Insight Security Research (nisr_at_nextgenss.com)
Date: 06/27/05

  • Next message: ActionSpider_at_securityfocus.com,: "Cross-Site Scripting (CSS) in Hosting Controller All Version and hot fix it hehe ;)"
    To: <vulnwatch@vulnwatch.org>, <bugtraq@securityfocus.com>, <ntbugtraq@listserv.ntbugtraq.com>
    Date: Mon, 27 Jun 2005 21:50:50 +0100
    
    

    John Heasman of NGSSoftware has discovered a high risk vulnerability in
    RealPlayer for Windows.

    Versions affected include:

    RealPlayer 10.5 (6.0.12.1040-1069)
    RealPlayer 10
    RealOne Player v2
    RealOne Player v1

    RealPlayer 10.5 (6.0.12.1212) is NOT affected.

    The flaw permits the overwriting of a local file or execution of an ActiveX
    control via a malformed MP3 file.

    The patch can be downloaded from

    http://service.real.com/help/faq/security/050623_player/EN/

    NGSSoftware are going to withhold details of this flaw for three
    months. Full details will be published on the 27th of September 2005. This
    three month window will allow users of RealPlayer the time needed to apply
    the patch before the details are released to the general public. This
    reflects NGSSoftware's approach to responsible disclosure.

    NGSSoftware Insight Security Research
    http://www.ngssoftware.com
    http://www.databasesecurity.com/
    http://www.nextgenss.com/
    +44(0)208 401 0070


  • Next message: ActionSpider_at_securityfocus.com,: "Cross-Site Scripting (CSS) in Hosting Controller All Version and hot fix it hehe ;)"

    Relevant Pages