Heap-based buffer overflow reported in RealNetworks RealPlayer

Update 07/25/2008: Aaron Portnoy of TippingPoint’s security research group was kind enough to point out that I’m actually not affected by this, since I’ve installed the newest version of RealPlayer. From Aaron’s email:

Notice the Secunia advisory states it affects RealPlayer 10.5… the latest is 11.x, which now uses the adobe module located in your system32 directory. If you don’t have the adobe flash player installed, it should prompt you to install it. Real no longer ships their really-really-really buggy swf parser.

So, it’s likely that bug doesn’t affect the RealPlayer you installed assuming you installed the latest.

My bad for not checking the version on my system, but, that said, many of you still may be vulnerable as people tend to patch things like video players pretty infrequently… which tends to be a bad idea considering how buggy they are (see QuickTime). Thanks Aaron!

RealPlayer Secunia Research is reporting a heap-based buffer overflow vulnerability in the widely used RealPlayer video player. I can only say this would’ve been nice to have had patch before I installed RealPlayer to listen to the Black Hat webcast, but I’m scrambling to uninstall now, so hopefully all is well.

FYI a patch does not currently exist, so you may consider at least a temporary uninstall.

Click read more for the details.

The details are provided from Secunia below:

Affected Software
RealNetworks RealPlayer Version 10.5 Build
NOTE: Other versions may also be affected.

Rating: Highly critical
Impact: System access
Where: From remote

Description of Vulnerability
Secunia Research has discovered a vulnerability in RealPlayer, which can potentially be exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to a design error within the handling of frames in Shockwave Flash (SWF) files and can be exploited to cause a heap-based buffer overflow.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is fixed in an upcoming release.

Time Table
16/11/2007 - Vendor notified.
22/11/2007 - Vendor notified again.
26/11/2007 - Vendor response and request PoC.
29/11/2007 - Sent PoC to vendor.
03/01/2008 - Confirmation that vendor able to reproduce vulnerability.
27/05/2008 - Requested update from vendor.
07/07/2008 - Vendor confirms update is pending.
23/07/2008 - Vendor confirms disclosure date.
25/07/2008 - Public disclosure.

[Source: zdnet]