RealPlayer vulns/updates - archive

[AplusWebMaster]

FYI...

- http://secunia.com/advisories/29315/
Release Date: 2008-03-11
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: RealPlayer 11.x ...
...The vulnerability is confirmed in RealPlayer version 11.0.1 (build 6.0.14.794) including rmoc3260.dll version 6.0.10.45. Other versions may also be affected.
Solution: Set the kill-bit for the affected ActiveX control...

[AplusWebMaster]

Follow-up...

- http://isc.sans.org/diary.html?storyid=4120
Last Updated: 2008-03-11 12:23:41 UTC - "Real player is probably installed on many of your computers, and an exploit for an unpatched vulnerability was made public on the full-disclosure mailing list.
As a result, those using ActiveX capable browsers (read: MSIE) are vulnerable to attack, with no patch on the horizon yet.
Workarounds:
* Set killbits for:
rmoc3260.dll version 6.0.10.45
{2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93}
{CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA}
But this will also remove the genuine functionality of the player.
* Use a browser that doesn't support ActiveX (there's plenty of those)..."

[MadelineC]

I think this vulnerability may have been patched now. I check approx once a week for updates in Real Player 11 and yesterday there was a critical update which I downloaded immediately. My version of Real Player is now shown as:
Version 11.0.2
Build: 6.0.14.802
Previously I had Version 11.0.1, Build: 6.0.14.794 as shown in your first post.
I have told Secunia about this in case it might be useful to them.

[AplusWebMaster]

FYI... this looks like the one, but it still shows as "...Unpatched":

- http://secunia.com/advisories/29315/
Release Date: 2008-03-11
Last Update: 2008-03-19
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched <<<
Software: RealPlayer 11.x
...The vulnerability is confirmed in RealPlayer version 11.0.1 (build 6.0.14.794) including rmoc3260.dll version 6.0.10.45. Other versions may also be affected.
Solution: Set the kill-bit for the affected ActiveX control...
------------

Last update shown on their website:
- http://service.real.com/realplayer/s...index.html#web
dated: # October 25, 2007 RealPlayer Update - Security update.

...still, it could be they just haven't "announced" it yet with a post, 'don't know. Why they wouldn't have "confirmed" the fix there is an unknown.

[MadelineC]

I did say it 'may' have been patched! I wouldn't know for sure, but I had checked a few days earlier and there wasn't a critical update available then. I've got an item in the 'Installed Components' section called 'SecurityUpdate 1.0.0.1', so presumably that's what I got a couple of days ago.
I didn't really expect a response from Secunia immediately as I imagine they'd have to check it and it's the Easter weekend, so things might be slower at the moment.
I had that update of 25.10.2007 as I had v10.5 then and the build I had needed the update. Later I updated to v11.0.1 through the program.
As I use Firefox most of the time and only rarely use IE7, I'll pass on the kill-bit for now, it looks complicated and very difficult to undo. Firefox doesn't support ActiveX.

[MadelineC]

I meant to say too that it may be that Real aren't very good at keeping their site up to date even when they've issued a critical update. Also my message to Secunia might be the first they've heard of it. It does say to contact them if you have any new information which is what I did.

[MadelineC]

You're right, we'll have to wait and see. I'm not surprised that Real haven't updated their site, but I would have thought that Secunia would have done so, maybe they will soon. I can understand RealPlayer 11xx not appearing on the Secunia Software Inspector before as there hadn't been any critical updates, perhaps it'll be there before long. I'll be checking it out often anyway!

[AplusWebMaster]

FYI...

- http://preview.tinyurl.com/2trstc
April 3, 2008 (Symantec Security Response Weblog) - "...Update: It appears that this vulnerability has been patched within RealPlayer version 11.0.2 (build 6.0.14.802), which is now available for download. It contains version 6.0.10.50 of the rmoc3260.dll file, which we have determined no longer contains the vulnerability. Current RealPlayer users can use the Check for Update utility, which will also install a version of the .dll file that is no longer vulnerable to this exploit."

- http://secunia.com/advisories/29315/
"...Solution: Update to version 11.0.2 (build 6.0.14.802) via e.g. "Check for Update" in the "Help->About RealPlayer" menu..."

'Still no advisory posted about the release here:
- http://service.real.com/realplayer/security/en/
(Last updated) - October 25, 2007 RealPlayer Update

[AplusWebMaster]

FYI...

- http://secunia.com/advisories/27620/
Last Update: 2008-07-29
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Partial Fix [also see Real advisory below*]
Software: RealPlayer 10.x ...
> http://secunia.com/secunia_research/2007-93/advisory/ ...
Changelog: ...2008-07-29: Updated advisory based on additional information from Secunia Research showing that the updated RealPlayer 11.0.3 Build 6.0.14.806 is still affected by vulnerability #1 when handling the "Controls" and "WindowName" properties. Updated status and "Solution" sections... users are advised to set the kill-bit for the ActiveX control...

* http://service.real.com/realplayer/s...008_player/en/
Updated July 25, 2008
...Details for Potential Vulnerabilities:
* Vulnerability 1: The identified vulnerability is a RealPlayer ActiveX controls property heap memory corruption;
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1309
Last revised: 3/13/2008
* Vulnerability 2: The identified vulnerability is a Local resource reference vulnerability in RealPlayer;
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3064
Original release date: 7/28/2008*...
* Vulnerability 3: The identified vulnerability is a RealPlayer SWF file heap-based buffer overflow;
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5400
Original release date: 7/28/2008*...
* Vulnerability 4: The identified vulnerability is a RealPlayer ActiveX import method buffer overflow;
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3066
Original release date: 7/28/2008 - *"...vulnerability is currently undergoing analysis and not all information is available..."

NOTES:
1. CVE details "...currently undergoing analysis..."
2. Problems w/install of update - hangs w/CPU at 100%.