RealNetworks (RealPlayer/RealOne/Helix Player/Rhapsody) Vulnerabilities

Today I set my sights on yet another helpless browser plugin and it's potential to cause security problems. As with the other plugin problems, these are generally cross-platform vulnerabilities.

CVE-2006-1370 is a buffer overflow in mimio boardcast (MBC) files.

CVE-2006-0323 is a buffer overflow and is a little ironic as it's actually a vulnerability related to the creation of malicious flash (.swf) files.

CVE-2005-2922 describes multiple conditions in which malicious servers can respond with chunked HTTP responses which can cause the client to crash or possibly execute code.

CVE-2005-2710 are format string vulnerabilities which can occur via 2 fields in two file types (.rp & .rt).

CVE-2005-0755 is a heap overflow in .ram files.

CVE-2005-0455 is another stack-based buffer overflow via .smil files.

So you can see that the types of overflows definitely run the gamut. See the specific CVE pages if you would like links to the advisories or the vendor response. However, I should say that generally RealNetworks doesn't include much/any useful information not included in the advisories beyond "Here's the patch."

While there have been other vulnerabilities in these products, I wanted to mainly highlight the ones which could cause execution of malicious code without user interaction (you can search out the rest by just typing in "RealPlayer" in the search box at the bottom of any CVE entry). Obviously when a client has a vulnerability which can be exploited by tricking a user into opening a malicious standalone file or cause a crash, this is still a problem. We anticipate that future versions of honeyclients will incorporate tests both for crash conditions as well as simple file download & execution. These tests will help expand upon the detection capabilities to include situations which normal users might encounter.