Real Customer Supportbypass navigation Customer Support

RealNetworks, Inc. Releases Update to Address Security Vulnerabilities.

Updated September 28, 2004

RealNetworks Inc. has recently been made aware of security vulnerabilities that could potentially allow an attacker to run arbitrary or malicious code on a user's machine. While we have not received reports of anyone actually being attacked with this exploit, all security vulnerabilities are taken very seriously by RealNetworks Inc. Real has found and fixed the problem.

The specific exploits were:

  • Exploit 1: To fashion an RM file which corrupts the Player when run from a local drive and which might allow an attacker to execute arbitrary code on a user's machine.
  • Exploit 2: To fashion a web page with malformed calls, corrupting the embedded Player, and which might allow an attacker to execute arbitrary code on a user's machine.
  • Exploit 3: To fashion a web page and a media file to allow deletion of a file in a path known to the attacker.

Affected Software:

Windows
Software Affected? Language Update Available?
RealPlayer 10.5 (6.0.12.1053) No All Supported Not required
RealPlayer 10.5 (6.0.12.1040) Yes English Requires upgrade
RealPlayer 10.5 Beta (6.0.12.1016) Yes English Requires upgrade
RealPlayer 10 Yes All Supported Requires upgrade
RealOne Player v1, v2 Yes All Supported Requires upgrade
RealPlayer 8 By #1 All Supported Requires upgrade
RealPlayer Enterprise By #1 English Yes

Note: To see your Player version number (6.0.12.xxxx), select Help > About in the Player menus.


Mac
Software Affected? Language Update Available?
Mac RealPlayer 10 No All Supported Not required
Mac RealPlayer 10 Beta By #1 English Requires upgrade
Mac RealOne Player By #1 English Yes

Linux
Software Affected? Language Update Available?
Linux RealPlayer 10 By #1 English Yes
Helix Player By #1 English Yes

Handheld Devices
Software Affected? Language Update Available?
Nokia Series60 Handsets No English Not Required
Helix Player for Symbian No English Not Required
RealPlayer for Palm No English Not Required
RealOne Player for Palm No English Not Required

Workaround:

To ensure that your Player is protected, we recommend installing the available updates.


UPDATES


Windows Players:

RealOne Player (English only), RealOne Player v2, RealPlayer 10, and RealPlayer 10.5 (English only) requires a full download to correct this issue:

  1. In the Tools menu select Check for Update.
  2. Select the box next to the "RealPlayer 10.5 with Harmony™ Technology" component.
  3. Click Install to download and install the update.

RealPlayer 8 (version 6.0.9.584):

  1. Go to the Help menu.
  2. Select Check for Update.
  3. Select the box next to the "RealPlayer 10.5 with Harmony™ Technology" component.
  4. Click Install to download and install the update.
  5. Then, follow the steps outlined above for RealPlayer 10 to add any additional security fixes.

RealPlayer Enterprise Solution:

Please click here to get a patch for your RealPlayer Enterprise.

RealOne Player for Mac OS X Players:

Mac OS X 10.2 and later:
Please click here to get the latest RealPlayer 10 for Mac OS X.

Mac OS X 10.1:
Please click here to get an updated RealOne Player for Mac OS X.

Linux Players:

Please click here to get an updated RealPlayer 10 for Linux.

Please click here to get an updated Helix Player for Linux.

German
English
Spanish
French
Italian
Portuguese
Japanese
Korean
Simplified Chinese
Traditional Chinese

Acknowledgements:

RealNetworks would also like to acknowledge John Heasman, eEye Digital Security, as well as other contributors for bringing these exploits to our attention and to all those who subsequently worked with us to correct the vulnerabilities.

Warranty:

While RealNetworks Inc. endeavors to provide you with the highest quality products and services, we cannot guarantee and do not warrant that the operation of any Real product will be error-free, uninterrupted or secure. See your original license agreement for details of our limited warranty or warranty disclaimer.