Language Selection

English French German Italian Portuguese Spanish

Security holes haunt RealPlayer

Filed under
Security

Real Networks has fixed four serious security vulnerabilities in its Real, Rhapsody and Helix media players.

Two of the security holes put users at risk of buffer overflow attacks just by playing a media file.

The first vulnerability uses the .avi movie file format to overwrite a compromised PC's heap memory, which in turn allows hackers to take control of a system.

The vulnerability can be triggered by a webpage containing a movie configured to start playing automatically, according to an advisory from eEye, the security consultancy that first reported the vulnerability. It ranks the severity as 'high'.

A hacker could also entice a user to play a movie by promising 'appealing' content.
The flaw affects most RealPlayer software for Windows as well as Rhapsody, which is used for Real's subscription music service.

A similar attack method can be used to exploit another flaw in RealPlayer for OS X, Windows and Linux as well as the Helix Player for Linux.

The method uses a flaw in RealText that is part of the RealMedia file format, which again allows a hacker to take over a system, security experts from iDefense warned in a security advisory.

Full Article.

More in Tux Machines

Development News: Rust 1.17 and SourceForge

  • Announcing Rust 1.17
    The Rust team is happy to announce the latest version of Rust, 1.17.0. Rust is a systems programming language focused on safety, speed, and concurrency.
  • Rust 1.17 Released
    Judging by the massive Rust fan base in our forums, those of you reading this will be delighted today about the newest version of Rustlang, v1.17.
  • SourceForge: Let's hold hands in a post-CodePlex world [Ed: Microsoft Gavin needlessly interjects Microsoft into it. Like CodePlex was EVER relevant…]
    President Logan Abbott has said he’ll seek tighter integration between SourceForge’s tools and those of others – including giant rival GitHub.

Nouveau Re-Clocked With DRM-Next Linux 4.12 + Mesa 17.2-dev vs. NVIDIA 381 Driver

A few days back I posted benchmarks of the initial GTX 1050/1060/1070/1080 Nouveau 3D support. As expected, the performance was rather abysmal with re-clocking not being available for Pascal (or Maxwell) GPUs on this open-source NVIDIA Linux kernel driver. For those trying to use Nouveau for Linux games or care about your GPU clock speeds, currently the GTX 600/700 "Kepler" series is still your best bet or the GTX 750 "Maxwell 1" is the last NVIDIA graphics processors not requiring signed firmware images and can properly -- but manually -- re-clock with the current Nouveau driver. Read more

Coverage From Recent Linux Conferences

Supply Chain Case Study: Canonical and Ubuntu

I love talking about supply chain management in an open source software context, especially as it applies to managing collaborative processes between upstream projects and their downstream products. In the article linked above, I called out a couple of examples of supply chain management: an enterprise OpenStack distribution and a container management product utilizing Kubernetes and Docker for upstream platforms. What about anti-patterns or things to avoid? There are several we could call out. At the risk of picking on someone I like, I’ll choose Canonical simply because they’ve been in the headlines recently for changes they’ve made to their organization, cutting back on some efforts and laying off some people. As I look at Canonical from a product offering perspective, there’s a lot they got right, which others could benefit from. But they also made many mistakes, some of which could have been avoided. First, the good. Read more