Page 2 of 2 FirstFirst 12
Results 11 to 13 of 13

Thread: RealPlayer vulns/updates - archive

  1. #11
    Member
    Join Date
    Feb 2008
    Location
    Wales, UK
    Posts
    49

    Post

    You're right, we'll have to wait and see. I'm not surprised that Real haven't updated their site, but I would have thought that Secunia would have done so, maybe they will soon. I can understand RealPlayer 11xx not appearing on the Secunia Software Inspector before as there hadn't been any critical updates, perhaps it'll be there before long. I'll be checking it out often anyway!

  2. #12
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation RealPlayer exploit in the wild

    FYI...

    - http://preview.tinyurl.com/2trstc
    April 3, 2008 (Symantec Security Response Weblog) - "...Update: It appears that this vulnerability has been patched within RealPlayer version 11.0.2 (build 6.0.14.802), which is now available for download. It contains version 6.0.10.50 of the rmoc3260.dll file, which we have determined no longer contains the vulnerability. Current RealPlayer users can use the Check for Update utility, which will also install a version of the .dll file that is no longer vulnerable to this exploit."

    - http://secunia.com/advisories/29315/
    "...Solution: Update to version 11.0.2 (build 6.0.14.802) via e.g. "Check for Update" in the "Help->About RealPlayer" menu..."

    'Still no advisory posted about the release here:
    - http://service.real.com/realplayer/security/en/
    (Last updated) - October 25, 2007 RealPlayer Update
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #13
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation RealPlayer SWF vuln...

    FYI...

    - http://secunia.com/advisories/27620/
    Last Update: 2008-07-29
    Critical: Highly critical
    Impact: System access
    Where: From remote
    Solution Status: Partial Fix [also see Real advisory below*]
    Software: RealPlayer 10.x ...
    > http://secunia.com/secunia_research/2007-93/advisory/ ...
    Changelog: ...2008-07-29: Updated advisory based on additional information from Secunia Research showing that the updated RealPlayer 11.0.3 Build 6.0.14.806 is still affected by vulnerability #1 when handling the "Controls" and "WindowName" properties. Updated status and "Solution" sections... users are advised to set the kill-bit for the ActiveX control...

    * http://service.real.com/realplayer/s...008_player/en/
    Updated July 25, 2008
    ...Details for Potential Vulnerabilities:
    * Vulnerability 1: The identified vulnerability is a RealPlayer ActiveX controls property heap memory corruption;
    http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1309
    Last revised: 3/13/2008
    * Vulnerability 2: The identified vulnerability is a Local resource reference vulnerability in RealPlayer;
    - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3064
    Original release date: 7/28/2008*...
    * Vulnerability 3: The identified vulnerability is a RealPlayer SWF file heap-based buffer overflow;
    - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5400
    Original release date: 7/28/2008*...
    * Vulnerability 4: The identified vulnerability is a RealPlayer ActiveX import method buffer overflow;
    - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3066
    Original release date: 7/28/2008 - *"...vulnerability is currently undergoing analysis and not all information is available..."

    NOTES:
    1. CVE details "...currently undergoing analysis..."
    2. Problems w/install of update - hangs w/CPU at 100%.

    Last edited by AplusWebMaster; 2008-07-29 at 13:37. Reason: Updated per Secunia and CVE notes...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •