Language Selection

English French German Italian Portuguese Spanish

RealPlayer Flaws Trigger PC Hijack Alert

Filed under
Security

Digital-media delivery company RealNetworks on Thursday rolled out patches for four high-risk vulnerabilities in its flagship RealPlayer software, warning that the flaws put millions of users at risk of PC hijack attacks.

The Seattle, Wash.-based RealNetworks Inc. said the flaws can be exploited by remote attackers to execute arbitrary commands with the privileges of the logged-in user.

he company issued a high-risk alert and confirmed that all four flaws affect RealPlayer 10 and 10.5, RealOne Player versions 1 and 2 and RealPlayer 8.

RealPlayer Enterprise, the configurable version of RealPlayer designed for enterprise deployments, the Rhapsody 3 music service and the open-source Linux and Helix versions are also affected, the company warned.

The most serious of the four flaws could allow an attacker to create a malicious MP3 file to allow the overwriting of a local file or execution of an ActiveX control on a vulnerable machine.

RealNetworks said a malicious RealMedia file that used RealText could also be used as an attack mechanism to cause a heap overflow. This could allow an attacker to execute arbitrary code on a target machine.

A third vulnerability was described as buffer-overflow error in the "vidplin.dll" file that does not properly handle specially crafted AVI files. This could be exploited via malicious Web sites to execute arbitrary commands with the privileges of the logged-in user, RealNetworks said.

The company said a fourth vulnerability could be combined with default settings of earlier Internet Explorer browsers and exploited by a malicious Web site to create a local HTML file and then trigger an RM file to play which would then reference the local HTML file.

Full Story.

More in Tux Machines

Microsoft Against GNU/Linux in the Public Sector

  • NHS: Thanks for all the free work, Linux nerds, now face our trademark cops [Ed: NHS has long been a Microsoft stronghold]
    Dev team quits, suggests NHS used them to get better deal with Microsoft [...] The small team behind an ambitious NHoS Linux project are calling it a day, citing receipt of a trademark infringement warning from the Department of Health's (DoH) "brand police" as the "final straw". The initial raison d’être of NHoS was to identify a way to roll out NHSbuntu, a strand of open-source Linux distro Ubuntu designed for the NHS, on three-quarters of a million smartcards. The smartcards are used to verify the healthcare pros that access 80 per cent of applications on millions of NHS PCs. The volunteer force behind NHoS wanted NHSbuntu to replace the current smartcard verification system that was running on Windows, and ultimately, have the operating system replace Windows on the desktop as well. Smart card recognition was seen as a mile-high hurdle in this grand plan. [...] Baw alleged the pair "(unbeknown to us) were also duplicitously negotiating with Microsoft about a new NHS Enterprise Wide Agreement".
  • Barcelona Council abandons Microsoft for open-source software [iophk: "again, disinfo about the reason for Munich's change"
    The Spanish city of Barcelona has announced it will phase out its use of Microsoft software in favour of open-source alternatives. Over the next few years, the city will transition away from Microsoft's services to guarantee its "technical sovereignty."

Android Leftovers

How to create outlines in Linux with TreeLine

As someone who's been known to string a few words together, I know that a well-crafted outline can be a key part of any writing project. Why? A good outline helps you organize your work. It provides a structure for what you're writing as well as a roadmap from beginning to end. Outlines aren't just for writing, either. They can be a great tool for organizing just about any kind of project. Read more

Debian and Ubuntu: gLinux, arm64, GNOME and Ubucon Europe

  • Google Developing New Debian-Based Linux For Internal Use
    Web giant Google announced at the DebConf17 Linux conference that it will be changing over to a Debian-based distribution of GNU/Linux internally, known as gLinux. One of the key developers involved with Google’s internal specialized Linux distribution efforts took the stage to make the announcement. It’s worth noting that this team member formerly worked for Canonical, the team behind the popular Ubuntu distribution. That is because Google is dumping Ubuntu as its base and moving to Debian, the distribution that Ubuntu is forked from. The move will be gradual; some of Google’s most mission-critical computers, including desktops, laptops, and servers, currently run on Goobuntu, and it will take time to develop gLinux and deploy it across Google’s internal Linux fleet.
  • Google Replaces Its Ubuntu-Based Goobuntu Linux OS with Debian-Based gLinux
    After more than five years of using its in-house built Ubuntu-based Goobuntu Linux distribution internally for various things, Google has decided to replace it with a gLinux, based on Debian Testing. It's no secret that Google users Linux a lot. It's Android and Chrome OS operating systems are powered by Linux, so they need to use a GNU/Linux distro to work on its other OSes for laptops and mobile phones. Until now, the company used Goobuntu Linux, which was based on Canonical's very popular Ubuntu Linux operating system.
  • First steps with arm64
    As it was Christmas time recently, I wanted to allow oneself something special. So I ordered a Macchiatobin from SolidRun. Unfortunately they don’t exaggerate with their delivery times and I had to wait about two months for my device. I couldn’t celebrate Christmas time with it, but fortunately New Year. Anyway, first I tried to use the included U-Boot to start the Debian installer on an USB stick. Oh boy, that was a bad idea and in retrospect just a waste of time. But there is debian-arm@l.d.o and Steve McIntyre was so kind to help me out of my vale of tears.
  • Why Ubuntu 18.04 LTS Will Use an Older Version of Nautilus
    Ubuntu devs have decided to release Ubuntu 18.04 LTS with Nautilus 3.26 installed so that users are able to put icons on the desktop. GNOME removed the option to put icons on the desktop earlier this month. The next release of the file manager, the app which has hitherto handled the job of drawing and managing the ‘desktop’ space, will no longer support this feature.
  • Ubucon Europe: 100 Days to go!