Language Selection

English French German Italian Portuguese Spanish

Security holes haunt RealPlayer

Filed under
Security

Real Networks has fixed four serious security vulnerabilities in its Real, Rhapsody and Helix media players.

Two of the security holes put users at risk of buffer overflow attacks just by playing a media file.

The first vulnerability uses the .avi movie file format to overwrite a compromised PC's heap memory, which in turn allows hackers to take control of a system.

The vulnerability can be triggered by a webpage containing a movie configured to start playing automatically, according to an advisory from eEye, the security consultancy that first reported the vulnerability. It ranks the severity as 'high'.

A hacker could also entice a user to play a movie by promising 'appealing' content.
The flaw affects most RealPlayer software for Windows as well as Rhapsody, which is used for Real's subscription music service.

A similar attack method can be used to exploit another flaw in RealPlayer for OS X, Windows and Linux as well as the Helix Player for Linux.

The method uses a flaw in RealText that is part of the RealMedia file format, which again allows a hacker to take over a system, security experts from iDefense warned in a security advisory.

Full Article.

More in Tux Machines

Malware is not only about viruses – companies preinstall it all the time

In 1983, when I started the free software movement, malware was so rare that each case was shocking and scandalous. Now it’s normal. To be sure, I am not talking about viruses. Malware is the name for a program designed to mistreat its users. Viruses typically are malicious, but software products and software preinstalled in products can also be malicious – and often are, when not free/libre. In 1983, the software field had become dominated by proprietary (ie nonfree) programs, and users were forbidden to change or redistribute them. I developed the GNU operating system, which is often called Linux, to escape and end that injustice. But proprietary developers in the 1980s still had some ethical standards: they sincerely tried to make programs serve their users, even while denying users control over how they would be served. Read more

Tessel 2, A $35 Linux Computer That’s Truly Open Source

We’ve seen the first version of the Tessel a few years ago, and it’s still an interesting board: an ARM Cortex-M3 running at 180MHz, WiFi, 32 Megs of both Flash and RAM, and something that can be programmed entirely in JavaScript or Node.js. Since then, the company behind Tessel, Technical Machines, has started work on the Tessel 2, a board that’s continuing in the long tradition of taking chips from WiFi routers and making a dev board out of them. The Tessel 2 features a MediaTek MT7620 running Linux built on OpenWRT, Ethernet, 802.11bgn WiFi, an Atmel SAMD21 serving as a real-time I/O coprocessor, two USB ports, and everything can still be controlled through JavaScript, Node, with support for Rust and other languages in the works. Read more

openSUSE Tumbleweed Gets Linux Kernel 4.0.3 and GNOME 3.16.2

A new set of improvements has landed in openSUSE Tumbleweed, the rolling release branch of the famous openSUSE Linux distribution. Read more

Google Chrome 44 Dev Gets Better Page Capture Resolution

Google developers have released a new development version of the Google Chrome browser, and the latest version is now at 44.0.2403.9. It's not a big update, but it does bring some interesting changes. Read more