Updated January 25, 2002
On January 17th, 2002, a security exploit affecting RealPlayer 8 was brought to the attention of RealNetworks. The specific exploit, commonly known as a "buffer overrun", could allow an attacker to run arbitrary code on a user's machine.
We have not yet received reports of anyone actually being attacked with this exploit. However, RealNetworks, has found and fixed the problem.
The bug is essentially a parsing error in the player code associated with reading RM files, commonly known as a "buffer overrun" bug which could theoretically be used by hackers to adversely affect users. The bug was fixed by improving the robustness of file parsing. When RealPlayer encounters files modified in the manner described by this exploit, it will now inform the user that the file is corrupt when played.
The following versions of the RealOne Player and RealPlayer are affected:
- RealOne Player
- RealPlayer 8
- RealPlayer 7
- RealPlayer G2 (Build # 18.104.22.168 or higher)
- RealPlayer Intranet 8
- RealPlayer Intranet 7
- RealPlayer 8
- RealPlayer 7
- RealOne Player Alpha for Linux 2.2
- RealPlayer 8 for UNIX
- RealPlayer 7 for UNIX
We have not yet received reports of anyone actually being attacked with this exploit. To ensure that your RealPlayer is protected, we recommend installing the updates available.
RealPlayer and RealOne Player for Windows and RealPlayer for Macintosh
Updates for the RealPlayer 8 and RealOne Player on Windows and Macintosh platforms are available via the RealPlayer AutoUpdate Service.
RealOne Player users:
To download the RealMedia File Format Update, go to Tools...Check for update. Select the box next to RealMedia File Format Update and click the Install button below to download and install the update.
RealPlayer 8 users:
To download the RealMedia File Format Update, go to Help...Check for update. Select the box next to RealMedia File Format Update and click the button below to download and install the update.
RealPlayer 7 and RealPlayer G2 customers:
This update is not available for these versions. Please download RealOne Player or RealPlayer 8 from www.real.com
If you are running RealPlayer Intranet versions 8, or 7 download and deploy the library available below. To deploy the file, copy it to the \Program Files\Common Files\Real\Plugins directory.
If you are going to create new versions of RealPlayer Intranet, please use the following directions.
- Download rmff3260.dll from the link above.
- Place rmff3260.dll into the C:\Program Files\Real\RealPlayer Intranet Administrator\IntranetPlayer\win32\Plins directory. Overwrite the version that was previously there.
- Start the RealPlayer Intranet Administrator administration pages.
- Generate a new version of your players. The newly generated version of the player will now include the updated .dll.
RealPlayer for UNIX
If you are running RealPlayer for UNIX version 8 or RealOne Player Alpha for Linux, download the appropriate library available below. To use the update, the file "rmffplin.so.6.0" should be copied to your ~/RealPlayer8/Plugins directory, or the Plugins sub-directory wherever you chose to install RealPlayer.
RealOne Player Alpha for Linux 2.2
Linux 2.0 (libc6 i386)
Linux 2.2 (libc6 i386)
Unfortunately, we are not able to provide updates for all Players available on unsupported platforms at this time.
If you are running RealPlayer 7 or earlier on UNIX, please update to either RealPlayer 8 or RealOne Player and download the libraries above.
RealNetworks would like to thank Tim Morgan for reporting this issue to us and working with us to protect customers from unauthorized access to sensitive or proprietary information.
While RealNetworks endeavors to provide you with the highest quality products and services, we cannot guarantee and do not warrant that the operation of any RealNetworks product will be error-free, uninterrupted or secure. See your original license agreement for details of our limited warranty or warranty disclaimer.