Real Reveals Six New Bugs in RealPlayer

For the second time in eight days, new critical vulnerabilities that could be used to hijack machines have been fingered in the RealPlayer media player. The patched editions released last Friday for Windows, however, are not vulnerable to the half-dozen bugs, RealNetworks Inc. said.

Hard on the heels of the revelation that RealPlayer sported a major flaw and that the bug had been exploited by hackers who had compromised an ad server owned by 24/7 Real Media to spread malware to visitors of legitimate, trusted Web sites, Seattle-based RealNetworks Thursday posted information about the latest vulnerabilities.

All six bugs involve RealPlayer's problems parsing file formats and could be exploited by hackers who first crafted malicious files, then duped users into either opening those rigged files when they received them as e-mail attachments or visiting an attack site that hosted such files. Among the file types: .mov, .mp3, .rm, SMIL, .swf, .ram and .pl.

"Attackers can exploit these issues to execute arbitrary code in the context of RealPlayer," Symantec Corp. said in an alert Friday. "Successful attacks can compromise the application and the underlying computer."

RealNetworks said that the most up-to-date Windows editions of RealPlayer 10.5 and beta Version 11 are immune to the attacks. Those versions were released last Friday when RealNetworks fixed a flaw in an ActiveX control it installed on systems running Internet Explorer. At least one of the newest flaws can also be traced to the ActiveX control.

Unlike last week's problem, however, four of the six vulnerabilities disclosed Thursday also can be exploited on Mac and Linux machines that have RealPlayer installed. Updated editions are also available for those operating systems, with links available from the security bulletin RealNetworks posted on its site.

Copenhagen-based vulnerability tracker Secunia ApS rated the six just-revealed RealPlayer bugs collectively as "highly critical," the second-highest mark it gives. Symantec rated the bugs separately, with at least one pegged as 8.5 out of a possible 10. But RealNetworks downplayed the risk. "We have received no reports of any machines actually compromised as a result of the now-remedied vulnerabilities," the company claimed.

It can't say the same for last week's vulnerability, which was used by unknown attackers to plant a Trojan horse on PCs whose owners had visited supposedly safe Web sites. The hackers had previously hijacked an ad server operated by Internet advertising company 24/7 Real Media Inc., then infected valid ads that 24/7 served to legitimate sites. When users viewed a page with an infected ad, their Internet Explorer browser was silently redirected to a malicious page from which the Trojan was downloaded and installed.

Although Symantec posted a detailed analysis of the RealPlayer vulnerability and the use of the compromised ad server, 24/7 Real Media has not responded to repeated e-mails this week seeking comment.