LONDON (02/05/2004) - Media player Real Player -- one of the most used pieces of software on the Internet -- has been struck by several highly critical vulnerabilities that could allow a malicious user system access to your PC.
Jouko Pynnönen and Mark Litchfield of NGSSoftware have discovered that by creating altered media and Real Media files (with the filenames .rp, .rt, .ram, .rpm and .smil) it is possible to cause a buffer overflow and run code on the user's PC.
All the user would have to do is click on the link and the file's author would be able to run whatever program they liked on the host PC. This is not good.
Thankfully, the discoverers informed Real and kept schtum until the company had produced a patch, which was made available today. The issue affects virtually all the company's players including RealPlayer 8, RealPlayer 10, RealOne Player v1, RealOne Player v2 and RealOne Enterprise Desktop.
It is strongly advised, therefore, that anyone with a Real Player click on the Tools menu and "Check for Update" to download the necessary patches. The problem though - as ever - is how many people will, how long it will take them and how much trouble can be created in the meantime.
A huge percentage of Real users make sure that automatic updating is turned off due to the company's constant efforts to get them to upgrade to a pay-for version of the player. Even if the update check is run, the 9MB update to fix the vulnerabilities is not very clearly flagged and doesn't appear to be very important. Real, it seems, still has much to learn about how to deal with security holes.