July 28, 2008, 9:43 AM — RealNetworks has issued four critical patches for several versions of its RealPlayer running on Windows, Linux and Apple's Mac OS X.
The flaws could allow a hacker to run malicious code on a PC or cause the computer to reveal information, according to an advisory from Secunia, a security vendor based in Denmark.
RealPlayer is an application that plays audio and video streamed over the Internet.
RealNetworks has published a table detailing which vulnerabilities affect certain player versions on the different platforms. Some users will need to download an entire new version of the application, while others may be able to just download patches.
One of the problems involves the handling of frames in SWF (Shockwave Flash) files due to a design error, which can cause a heap-based buffer overflow, Secunia said.
Another problem causes a stack-based buffer overflow when a media file is imported using an ActiveX control, Microsoft's technology that adds extra functionality to Web pages.
A third flaw is described by RealPlayer as allowing local resources to be accessed. The fourth also involves ActiveX, where a timing issue with "Controls", "Console", or "WindowName" properties can be maliciously manipulated to corrupt RealPlayer's memory, Secunia said.
Secunia ranked the flaws as "highly critical," the vendor's second-highest ranking of risk. The flaws were found by Peter Vreugdenhil, Elazar Broad, Dyon Balding of Secunia and another anonymous researcher, Secunia said.
