[ISN] RealPlayer security fix is faulty

From: InfoSec News (isnat_private)
Date: Wed Nov 27 2002 - 00:36:41 PST

  • Next message: InfoSec News: "RE: [ISN] Crackers steal 52,000 university passwords"

    http://www.theregister.co.uk/content/55/28308.html
    
    By John Leyden
    Posted: 26/11/2002 at 17:49 GMT
    
    That nemesis of application security, the buffer overrun, has found
    its way into media players from RealNetworks.
    
    Three similar, though separate, flaws in RealPlayer (and its update
    RealOne) create a way for crackers to inject hostile code onto Windows
    boxes of victims induced to run maliciously constructed media files.  
    In common with most buffer overflow flaws (which are typically
    attributable to programming errors), hostile code could execute in the
    security context of the logged-on user/victim.
    
    All three flaws were discovered by NGS Software. It notified
    RealNetworks of the problem on November 1, and the company followed up
    with an advisory and security fixes on November 20.
    
    Problem is - the fixes don't work.
    
    Mark Litchfield, of NGS Software, found that patches failed to address
    the problem.
    
    Oh dear.
    
    The risk is compounded by the fact that Litchfield, acting in good
    faith, posted a detailed advisory on security mailing after receiving
    patches from RealNetworks - but before testing them - so now
    information on the issue has spread across the Net.
    
    "The problem is still out there now," Litchfield told us this
    afternoon. "There's no working fix nor any workaround. My only
    suggestion would be not to use RealPlayer (if you were paranoid
    enough) until a working patch is available."
    
    According to RealNetworks, there are currently around 115 million
    users worldwide of RealOne/RealPlayer.
    
    All the more reason to fix the problem ASAP.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Sat Nov 30 2002 - 12:15:55 PST