Security Holes in RealPlayer, QuickTime

By Ryan Naraine

(Back to article)

Researchers are warning of serious security holes in two popular digital media players -- RealNetworks' RealOne and Apple's QuickTime -- that have put millions of systems at risk.

The vulnerabilities, which are not related, affect the way the media players read certain file types and could leave susceptible systems open to intrusion.

RealNetworks confirmed the security hole in its flagship media player, which has enjoyed widespread adoption among digital media enthusiasts. Affected versions of the player include the RealOne Player and RealOne Player v2 for Windows, RealPlayer 8 for Windows, RealPlayer 8 for Mac OS 9, RealOne Player for Mac OS X, RealOne Enterprise Desktop Manager and RealOne Enterprise Desktop.

The company said the Helix DNA Client was not affected by this vulnerability.

In an advisory, RealNetworks warned that a hacker could create a specifically corrupted Portable Network Graphics (PNG) file to cause heap corruption.

A successful exploit of the flaw would an attacker to execute arbitrary code on a user's machine, the company cautioned, noting the vulnerability was due to the usage of an older, vulnerable version of a data-compression library within the RealPix component of the Player.

"In addition to fixing the reported vulnerability, RealNetworks performed a review of all of the RealOne Player source code to identify other areas where this data-compression library is used. As a result of this review, several additional Player components have also been fixed, and are included in the provided updates," the company said, urging users to immediately install the updates to all the flawed media players.

Separately, security research firm iDefense warned of an exploitable buffer overflow in QuickTime, the media player owned by Apple Computer.

An alert warned that a URL containing 400 characters will overrun the allocated space on the stack overwriting the saved instruction pointer (EIP) and open the door for an attacker to redirect the flow of control and execute arbitrary code.

"Any remote attacker can compromise a target system if he or she can convince a user to load a specially crafted exploit URL. Upon successful exploitation, arbitrary code can be executed under the privileges of the user who launched QuickTime," the company said.

QuickTime Player versions 5.x and 6.0 for the Microsoft Windows platform are vulnerable but QuickTime for MacOS did not contain the vulnerability, iDefense said. Apple has released QuickTime 6.1 which patches the flaws.