Language Selection

English French German Italian Portuguese Spanish

RealPlayer Flaws Trigger PC Hijack Alert

Filed under
Security

Digital-media delivery company RealNetworks on Thursday rolled out patches for four high-risk vulnerabilities in its flagship RealPlayer software, warning that the flaws put millions of users at risk of PC hijack attacks.

The Seattle, Wash.-based RealNetworks Inc. said the flaws can be exploited by remote attackers to execute arbitrary commands with the privileges of the logged-in user.

he company issued a high-risk alert and confirmed that all four flaws affect RealPlayer 10 and 10.5, RealOne Player versions 1 and 2 and RealPlayer 8.

RealPlayer Enterprise, the configurable version of RealPlayer designed for enterprise deployments, the Rhapsody 3 music service and the open-source Linux and Helix versions are also affected, the company warned.

The most serious of the four flaws could allow an attacker to create a malicious MP3 file to allow the overwriting of a local file or execution of an ActiveX control on a vulnerable machine.

RealNetworks said a malicious RealMedia file that used RealText could also be used as an attack mechanism to cause a heap overflow. This could allow an attacker to execute arbitrary code on a target machine.

A third vulnerability was described as buffer-overflow error in the "vidplin.dll" file that does not properly handle specially crafted AVI files. This could be exploited via malicious Web sites to execute arbitrary commands with the privileges of the logged-in user, RealNetworks said.

The company said a fourth vulnerability could be combined with default settings of earlier Internet Explorer browsers and exploited by a malicious Web site to create a local HTML file and then trigger an RM file to play which would then reference the local HTML file.

Full Story.

More in Tux Machines

Automatic Feedback Directed Optimizer Merged Into GCC

The latest merged feature for next year's GCC 5 compiler release is AutoFDO support! AutoFDO is the Automatic Feedback Directed Optimizer. AutoFDO relies on the Linux kernel's perf framework for profiling with performance counters. AutoFDO interprets the perf output and attempts to use the FDO infrastructure to produce better optimized code generation. AutoFDO according to its Google engineers is said to be noticeably faster than traditional FDO for GCC. Read more

Ubuntu at Suzuka, Game-Changing Frictional Games, and Linux for Privacy

Today in Linux news, Softpedia.com brings us another Ubuntu spotted-in-the-wild sighting. Hamish Wilson looks at Frictional Games' body of work and how it changed computer gaming. My Linux Rig talks to Charles Profitt about his Ubuntu setup and The New American says use Linux if you're "sick of surveillance." Read more

5 open access journals for open source enthusiasts

The ever rising cost of academic journals is a major burden for researchers. Academic libraries cannot always keep up with increases in subscription fees causing libraries to drop journals from their collection. This makes it harder for students and professors to quickly and easily access the information they need. Inter-library loan requests are an option but they do take time. Even if it only takes a few days to fill an inter-library loan request, that is still time wasted for a researcher that has a deadline. While there is no single, quick fix to the problem with the academic journal prices, there is a movement applying the open source way to academic research in an attempt to solve the problem—the open access movement. Read more

In wake of Anonabox, more crowdsourced Tor router projects make their pitch

Last week, Ars reported on the story of Anonabox, an effort by a California developer to create an affordable privacy-protecting device based on the open source OpenWRT wireless router software and the Tor Project’s eponymous Internet traffic encryption and anonymization software. Anonabox was pulled from Kickstarter after accusations that the project misrepresented its product and failed to meet some basic security concerns—though its developers still plan to release their project for sale through their own website. But Anonabox’s brief campaign on Kickstarter has demonstrated demand for a simple, inexpensive way to hide Internet traffic from prying eyes. And there are a number of other projects attempting to do what Anonabox promised. On Kickstarter competitor Indiegogo there’s a project called Invizbox that looks almost identical to Anonabox—except for the approach its team is taking to building and marketing the device. Read more