RealNetworks audits media player code

Zardon · Dec 13, 2002, 05:46 PM

REALNETWORKS HAS REVIEWED the code of its media player software and will deliver a patch by Christmas to fix all security flaws it has found, the company said Wednesday.

"RealNetworks has undertaken a comprehensive review of all of the RealOne Player code to reduce the possibility that any vulnerabilities remain. An update of the RealOne Player that contains identified fixes will be available by December 25," RealNetworks said in a statement sent via e-mail.

The company also plans to release an update for its Helix Universal Server products next week "to address certain potential vulnerabilities," according to a statement on its Web site posted Thursday. Server versions prior to Helix Universal Server (9.0.2.766) are not affected, RealNetworks said.

A security expert has identified nine vulnerabilities in the Windows versions of the RealOne Player and RealPlayer. By encouraging the user to download a malformed file, an attacker could take over a user's computer. RealNetworks released a patch to fix three of the flaws late last month, but that patch was flawed. The company has been working on a new patch since then.

RealNetworks stresses that it has received no reports of any attacks, but that it takes all potential vulnerabilities very seriously and continues to work with security professionals to verify and fix the "buffer overrun" errors.

Mark Litchfield, a security researcher with Next Generation Security Software of Sutton, England, discovered the flaws in the RealNetworks software and first alerted the Seattle company in early November. Litchfield said on Thursday that he is no longer working on the issue with RealNetworks, but praised the company for its swift action, even if it took the company about a month to come with a patch.

"Real has turned out to be one of the quickest vendors to patch their issues. Some of the large software vendors take up to a year to patch vulnerabilities," said Litchfield.

Litchfield also identified three buffer overrun flaws in RealNetworks' Helix Universal Server media server product. The product is used by many to offer online streaming media. RealNetworks has already sent Litchfield a test version of the patch to fix the flaws in Helix Universal Server and that patch worked, he said.

RealNetworks will post the media player update on a special page on its Web site: http://service.real.com/help/faq/sec...un_player.html

The security information on Helix Universal Server is at: http://service.real.com/help/faq/security/ Joris Evers

Dec 13, 2002, 05:46 PM	#1
Zardon DriverHeaven Founder Join Date: May 2002 Posts: 32,480 Rep Power: 177	RealNetworks audits media player code REALNETWORKS HAS REVIEWED the code of its media player software and will deliver a patch by Christmas to fix all security flaws it has found, the company said Wednesday. "RealNetworks has undertaken a comprehensive review of all of the RealOne Player code to reduce the possibility that any vulnerabilities remain. An update of the RealOne Player that contains identified fixes will be available by December 25," RealNetworks said in a statement sent via e-mail. The company also plans to release an update for its Helix Universal Server products next week "to address certain potential vulnerabilities," according to a statement on its Web site posted Thursday. Server versions prior to Helix Universal Server (9.0.2.766) are not affected, RealNetworks said. A security expert has identified nine vulnerabilities in the Windows versions of the RealOne Player and RealPlayer. By encouraging the user to download a malformed file, an attacker could take over a user's computer. RealNetworks released a patch to fix three of the flaws late last month, but that patch was flawed. The company has been working on a new patch since then. RealNetworks stresses that it has received no reports of any attacks, but that it takes all potential vulnerabilities very seriously and continues to work with security professionals to verify and fix the "buffer overrun" errors. Mark Litchfield, a security researcher with Next Generation Security Software of Sutton, England, discovered the flaws in the RealNetworks software and first alerted the Seattle company in early November. Litchfield said on Thursday that he is no longer working on the issue with RealNetworks, but praised the company for its swift action, even if it took the company about a month to come with a patch. "Real has turned out to be one of the quickest vendors to patch their issues. Some of the large software vendors take up to a year to patch vulnerabilities," said Litchfield. Litchfield also identified three buffer overrun flaws in RealNetworks' Helix Universal Server media server product. The product is used by many to offer online streaming media. RealNetworks has already sent Litchfield a test version of the patch to fix the flaws in Helix Universal Server and that patch worked, he said. RealNetworks will post the media player update on a special page on its Web site: http://service.real.com/help/faq/sec...un_player.html The security information on Helix Universal Server is at: http://service.real.com/help/faq/security/ Joris Evers