Linux RealPlayer Could Face Zero-Day Attack - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News
News
9/27/2005
01:32 PM
50%
50%

Linux RealPlayer Could Face Zero-Day Attack

The Linux versions of the RealPlayer and Helix Player have a zero-day vulnerability that could allow attackers to execute commands remotely.

The Linux versions of RealNetworks' popular RealPlayer and Helix Player can be used by attackers to load malicious code onto systems, several security organizations reported Tuesday.

Both RealPlayer 10.x and Helix 1.x sport a zero-day vulnerability that could let a hacker execute commands remotely once he'd convinced the user to open a malformed .rp (realpix) or .rt (realtext) file. RealPix and RealText files are image slideshow and text-based displays (such as a scrolling ticker-style message) played by RealPlayer and Helix.

The most likely scenario: enticing users to a malicious Web site where duplicitous .rp or .rt files are used.

French security firm FrSIRT rates the Linux-only vulnerability as "critical" because exploit code has been published and a patch has not yet been posted by RealNetworks.

According to the researcher who discovered the vulnerability -- known only as "c0ntex" in the posting on the SecurityFocus mailing list -- RealNetworks was informed of the bug.

C0ntex, however, broke silence -- even putting up exploit code -- because he was worried someone else would beat him to it.

"Sadly though, it seems someone is trying to pinch my research, as such I have been forced to release this advisory sooner than hoped," he wrote. " Moral of the story, don't talk about personal research on IRC. Thank you plagiarizers."

The issue that vendors term "responsible disclosure" has been discussed endlessly, particularly by larger companies such as Microsoft, but to little avail; independent vulnerability researchers continue to publicly post information about bugs before fixes are in place.

In lieu of a patch, the only advice offered by security experts is to not play untrusted content with RealPlayer or Helix Player.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Slideshows
10 RPA Vendors to Watch
Jessica Davis, Senior Editor, Enterprise Apps,  8/20/2019
Commentary
Enterprise Guide to Digital Transformation
Cathleen Gagne, Managing Editor, InformationWeek,  8/13/2019
Slideshows
IT Careers: How to Get a Job as a Site Reliability Engineer
Cynthia Harvey, Freelance Journalist, InformationWeek,  7/31/2019
Register for InformationWeek Newsletters
Video
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll