RealNetworks patch fails to fix media player flaws

A RealNetworks Inc. security patch for its media player software is flawed, leaving millions of users at risk of attacks, a security researcher said Wednesday.

RealNetworks last week posted a software update on its Web site to fix three security flaws in the Windows versions of the RealOne Player and RealPlayer. An attacker could take over a computer running the media player software by encouraging a user to download a malformed file, RealNetworks said in a security advisory posted on its Web site last week. [Please see RealNetworks patches flaw in media player software.]

However, the software patch “does not do its job,” said Mark Litchfield, a security researcher with Next Generation Security Software Ltd. of Sutton, England, who discovered the flaws.

It is still possible to cause a buffer overrun by making a couple of simple modifications to the attacks on the software, Litchfield said. He alerted RealNetworks and is now helping the Seattle company come up with a fix that plugs the security holes, he said.

In a buffer overrun attack, an attacker exploits an unchecked buffer in a program to load his own code onto a system and run that.

RealNetworks confirmed in a statement sent via e-mail Wednesday that Litchfield is looking at a new security fix and that this new fix should be posted “shortly.” The company said it takes all buffer overrun bugs seriously, but added that Litchfield “has not been able to demonstrate how to exploit the buffer overruns for malicious intent.”

Litchfield expects RealNetworks will release an updated patch in “a day or two.” He has tested several new patches, but all were flawed. “The third one last night had only one overflow, so I am hoping they will have a final patch out in the next two days or so,” said Litchfield.

The original patch was not offered to Litchfield for testing, although he did offer to do that when he originally told RealNetworks about the flaws on Nov. 1, he said.

The RealNetworks advisory is at: