The Linux versions of the RealPlayer and Helix Player have a zero-day vulnerability that could allow attackers to execute commands remotely.
The Linux versions of RealNetworks' popular RealPlayer and Helix Player can be used by attackers to load malicious code onto systems, several security organizations reported Tuesday.
Both RealPlayer 10.x and Helix 1.x sport a zero-day vulnerability that could let a hacker execute commands remotely once he'd convinced the user to open a malformed .rp (realpix) or .rt (realtext) file. RealPix and RealText files are image slideshow and text-based displays (such as a scrolling ticker-style message) played by RealPlayer and Helix.
The most likely scenario: enticing users to a malicious Web site where duplicitous .rp or .rt files are used.
French security firm FrSIRT rates the Linux-only vulnerability as "critical" because exploit code has been published and a patch has not yet been posted by RealNetworks.
According to the researcher who discovered the vulnerability -- known only as "c0ntex" in the posting on the SecurityFocus mailing list -- RealNetworks was informed of the bug.
C0ntex, however, broke silence -- even putting up exploit code -- because he was worried someone else would beat him to it.
"Sadly though, it seems someone is trying to pinch my research, as such I have been forced to release this advisory sooner than hoped," he wrote. " Moral of the story, don't talk about personal research on IRC. Thank you plagiarizers."
The issue that vendors term "responsible disclosure" has been discussed endlessly, particularly by larger companies such as Microsoft, but to little avail; independent vulnerability researchers continue to publicly post information about bugs before fixes are in place.
In lieu of a patch, the only advice offered by security experts is to not play untrusted content with RealPlayer or Helix Player.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.