Security Alert (A11-04-03): Vulnerabilities in RealPlayer

Affected Systems:

• RealPlayer 14.0.2 and prior

Summary:
Vulnerabilities have been identified in RealPlayer, one is due to a heap-based buffer overflow caused by improper bounds checking in the RealVideo Renderer plugin for RealMedia (rvrender.dll) when processing Internet Video Recording (IVR) files. Another vulnerability is due to a flaw in the OpenURLInDefaultBrowser() method when processing RNX (".rnx") file. There are multiple attack vectors, a remote attacker may entice a user to open a specially crafted file or web page with malicious content.
Impact:
Depending on the vulnerabilities exploited, a successful attack could lead to remote arbitrary code execution.
Recommendation:
The product vendor has released the following updated player to address the issues.

• RealPlayer 14.0.3

Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk. The update can be obtained by clicking "Check for Update" in the "Help->About RealPlayer" menu, or manually downloaded at the following URL:

• http://hk.real.com/?mode=rp

DITSOs (or your delegates) are also requested to inform the relevant system administrators and end users as appropriate about this issue.
More Information:
More information about this issue is available at:

• http://service.real.com/realplayer/security/04122011_player/en/
• http://xforce.iss.net/xforce/xfdb/66209
• http://secunia.com/advisories/43847
• http://www.vupen.com/english/advisories/2011/0723
• http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1426
• http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1525