===================================================================== CERT-Renater Note d'Information No. 2010/VULN518 _____________________________________________________________________ DATE : 13/12/2010 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Mac OS X, Windows, Linux running RealPlayer versions prior to 14.0.1, Mac RealPlayer versions prior to 12.0.0.1548, RealPlayer Enterprise versions prior to 2.1.4, Linux RealPlayer versions prior to 11.0.2.2315. ====================================================================== http://www.zerodayinitiative.com/advisories/ZDI-10-266 http://www.zerodayinitiative.com/advisories/ZDI-10-267 http://www.zerodayinitiative.com/advisories/ZDI-10-268 http://www.zerodayinitiative.com/advisories/ZDI-10-269 http://www.zerodayinitiative.com/advisories/ZDI-10-270 http://www.zerodayinitiative.com/advisories/ZDI-10-271 http://www.zerodayinitiative.com/advisories/ZDI-10-272 http://www.zerodayinitiative.com/advisories/ZDI-10-273/ http://www.zerodayinitiative.com/advisories/ZDI-10-274/ http://www.zerodayinitiative.com/advisories/ZDI-10-275/ http://www.zerodayinitiative.com/advisories/ZDI-10-276/ http://www.zerodayinitiative.com/advisories/ZDI-10-277/ http://www.zerodayinitiative.com/advisories/ZDI-10-278/ http://www.zerodayinitiative.com/advisories/ZDI-10-279/ http://www.zerodayinitiative.com/advisories/ZDI-10-280/ http://www.zerodayinitiative.com/advisories/ZDI-10-281/ http://www.zerodayinitiative.com/advisories/ZDI-10-282/ ______________________________________________________________________ RealNetworks RealPlayer Multi-Rate Audio Remote Code Execution Vulnerability ZDI-10-266: December 10th, 2010 CVE ID CVE-2010-4375 CVSS Score 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) Affected Vendors RealNetworks Affected Products RealPlayer TippingPoint™ IPS Customer Protection TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 8441. For further product information on the TippingPoint IPS: http://www.tippingpoint.com Vulnerability Details This vulnerability allows attackers to execute arbitrary code on vulnerable installations of RealNetworks RealPlayer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists when parsing a RealMedia file containing a malformed multi-rate audio stream. The application explicitly trusts two 16-bit values in this data structure which are then used to calculate the size used for an allocation. When data is written to this allocated buffer, an overflow will occur which can lead to code execution under the context of the current user. Vendor Response RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/12102010_player/en/ Disclosure Timeline 2009-04-15 - Vulnerability reported to vendor 2010-12-10 - Coordinated public release of advisory Credit This vulnerability was discovered by: Anonymous ______________________________________________________________________ RealNetworks RealPlayer Advanced Audio Coding Remote Code Execution Vulnerability ZDI-10-267: December 10th, 2010 CVE ID CVE-2010-4395 CVSS Score 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) Affected Vendors RealNetworks Affected Products RealPlayer TippingPoint™ IPS Customer Protection TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 10700. For further product information on the TippingPoint IPS: http://www.tippingpoint.com Vulnerability Details This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of RealNetworks Real Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the application's implementation of the Advanced Audio Coding compression format. When decoding a conditional component of a data block within an AAC frame the application will decompress lossy audio sample data outside the bounds of a buffer. This memory corruption can lead to code execution under the context of the application. Vendor Response RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/12102010_player/en/ Disclosure Timeline 2010-11-09 - Vulnerability reported to vendor 2010-12-10 - Coordinated public release of advisory Credit This vulnerability was discovered by: Damian Put ______________________________________________________________________ RealNetworks RealPlayer Media Properties Header Parsing Remote Code Execution Vulnerability ZDI-10-268: December 10th, 2010 CVE ID CVE-2010-4384 CVSS Score 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) Affected Vendors RealNetworks Affected Products RealPlayer TippingPoint™ IPS Customer Protection TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 6853. For further product information on the TippingPoint IPS: http://www.tippingpoint.com Vulnerability Details This vulnerability allows attackers to execute arbitrary code on vulnerable installations of RealNetworks RealPlayer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists when parsing a RealMedia file containing a malformed Media Properties Header (MDPR). The application explicitly trusts an index in this data structure which is used to seek into an array of objects. If an attacker can allocate controlled data at some point after this array, an attacker can then get their fabricated object to get called leading to code execution under the context of the current user. Vendor Response RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/12102010_player/en/ Disclosure Timeline 2009-02-24 - Vulnerability reported to vendor 2010-12-10 - Coordinated public release of advisory Credit This vulnerability was discovered by: Anonymous Hossein Lotfi ______________________________________________________________________ RealNetworks RealPlayer AAC TIT2 Atom Integer Overflow Remote Code Execution Vulnerability ZDI-10-269: December 10th, 2010 CVE ID CVE-2010-4397 CVSS Score 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) Affected Vendors RealNetworks Affected Products RealPlayer TippingPoint™ IPS Customer Protection TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 8279. For further product information on the TippingPoint IPS: http://www.tippingpoint.com Vulnerability Details This vulnerability allows remote attackers to execute arbitrary code on systems with vulnerable installations of the RealNetworks RealPlayer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists in RealPlayer's pnen3260.dll module while parsing the TIT2 atom within AAC files. The code within this module does not account for a negative size during an allocation and later uses the value as unsigned within a copy loop. Exploitation of this vulnerability allows an attacker to execute arbitrary code under the context of the user opening the AAC file. Vendor Response RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/12102010_player/en/ Disclosure Timeline 2009-06-25 - Vulnerability reported to vendor 2010-12-10 - Coordinated public release of advisory Credit This vulnerability was discovered by: Anonymous ______________________________________________________________________ RealNetworks RealPlayer ICY Protocol StreamTitle Remote Code Execution Vulnerability ZDI-10-270: December 10th, 2010 CVE ID CVE-2010-2997 CVSS Score 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) Affected Vendors RealNetworks Affected Products RealPlayer TippingPoint™ IPS Customer Protection TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 8344. For further product information on the TippingPoint IPS: http://www.tippingpoint.com Vulnerability Details This vulnerability allows remote attackers to execute arbitrary code on vulnerability installations of RealNetworks RealPlayer. User interaction is required to exploit this vulnerability in that the target must open a malicious SHOUTcast Stream. The specific flaw exists in the processing of the StreamTitle tag in a SHOUTcast stream using the ICY protocol. A specially crafted string supplied as the property for the title can result in a failed allocation of heap memory. This then causes the freeing of critical pointers that are subsequently used after freeing. Successful exploitation of this vulnerability can lead to system compromise under the credentials of the currently logged in user. Vendor Response RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/12102010_player/en/ Disclosure Timeline 2009-06-25 - Vulnerability reported to vendor 2010-12-10 - Coordinated public release of advisory Credit This vulnerability was discovered by: Anonymous ______________________________________________________________________ RealNetworks RealPlayer RTSP GIF Parsing Remote Code Execution Vulnerability ZDI-10-271: December 10th, 2010 CVE ID CVE-2010-4376 CVSS Score 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) Affected Vendors RealNetworks Affected Products RealPlayer TippingPoint™ IPS Customer Protection TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 8308. For further product information on the TippingPoint IPS: http://www.tippingpoint.com Vulnerability Details This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of RealNetworks RealPlayer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious media file. The specific flaw exists in the parsing of GIF87a files over the streaming protocol RTSP. When specifying a large Screen Width size in the Screen Descriptor header a calculation on the destination heap chunks size is improperly checked for overflow. This leads to a smaller buffer being allocated and subsequently a heap overflow when processing the received data. Exploitation of this vulnerability can lead to system compromise under the credentials of the currently logged in user. Vendor Response RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/12102010_player/en/ Disclosure Timeline 2009-06-25 - Vulnerability reported to vendor 2010-12-10 - Coordinated public release of advisory Credit This vulnerability was discovered by: Anonymous ______________________________________________________________________ RealNetworks RealPlayer Cook Audio Codec Parsing Remote Code Execution Vulnerability ZDI-10-272: December 10th, 2010 CVE ID CVE-2010-4377 CVSS Score 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) Affected Vendors RealNetworks Affected Products RealPlayer TippingPoint™ IPS Customer Protection TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 8454. For further product information on the TippingPoint IPS: http://www.tippingpoint.com Vulnerability Details This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of RealNetworks RealPlayer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious media file. The specific flaw exists in the parsing of audio codec information encapsulated in a Real Audio media file. While processing cook audio codec data the number of subbands is improperly calculated. By specifying a large number of subbands an allocated heap chunk can be overflown. Successful exploitation can result in system compromise under the credentials of the currently logged in user. Vendor Response RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/12102010_player/en/ Disclosure Timeline 2009-06-25 - Vulnerability reported to vendor 2010-12-10 - Coordinated public release of advisory Credit This vulnerability was discovered by: Anonymous ______________________________________________________________________ RealNetworks RealPlayer AAC MLLT Atom Parsing Remote Code Execution Vulnerability ZDI-10-273: December 10th, 2010 CVE ID CVE-2010-2999 CVSS Score 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) Affected Vendors RealNetworks Affected Products RealPlayer TippingPoint IPS Customer Protection TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 8415. For further product information on the TippingPoint IPS: http://www.tippingpoint.com Vulnerability Details This vulnerability allows attackers to execute arbitrary code on vulnerable installations of RealNetworks RealPlayer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists when parsing an .AAC file containing a malformed MLLT atom. The application utilizes a size specified in this data structure for allocation of a list of objects. To calculate the size for the allocation, the application will multiply this length by 8. If the multiplication results in a value greater than 32 bits an integer overflow will occur. When copying data into this buffer heap corruption will occur which can lead to code execution under the context of the currently logged in user. Vendor Response RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/12102010_player/en/ Disclosure Timeline 2009-08-20 - Vulnerability reported to vendor 2010-12-10 - Coordinated public release of advisory Credit This vulnerability was discovered by: Anonymous - ------------------------------------------------------------------------------- RealNetworks Realplayer RV20 Stream Parsing Remote Code Execution Vulnerability ZDI-10-274: December 10th, 2010 CVE ID CVE-2010-4378 CVSS Score 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) Affected Vendors RealNetworks Affected Products RealPlayer Vulnerability Details This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of RealNetworks RealPlayer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists within the module responsible for decompressing RV20 video streams. The drv2.dll trusts a value from the file as a length and uses it within a copy loop that writes to heap memory. By specifying large enough values, heap memory can be corrupted which can lead to arbitrary code execution under the context of the user accessing the media file. Vendor Response RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/12102010_player/en/ Disclosure Timeline 2010-01-06 - Vulnerability reported to vendor 2010-12-10 - Coordinated public release of advisory Credit This vulnerability was discovered by: Anonymous - ------------------------------------------------------------------------------- RealNetworks RealPlayer Cross-Zone Scripting Remote Code Execution Vulnerability ZDI-10-275: December 10th, 2010 CVE ID CVE-2010-4396 CVSS Score 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) Affected Vendors RealNetworks Affected Products RealPlayer TippingPoint IPS Customer Protection TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 10589. For further product information on the TippingPoint IPS: http://www.tippingpoint.com Vulnerability Details This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of RealNetworks RealPlayer. User interaction is requires in that a target must navigate to a malicious page. The specific flaw exists within the HandleAction method of the RealPlayer ActiveX control with CLSID FDC7A535-4070-4B92-A0EA-D9994BCC0DC5. The vulnerable action that can be invoked via this control is NavigateToURL. If NavigateToURL can be pointed to a controlled file on the user's system, RealPlayer can be made to execute scripts in the Local Zone. To accomplish this, a malicious attacker can force a download of a skin file to a predictable location and then point NavigateToURL at it thus achieving remote code execution under the context of the user running RealPlayer. Vendor Response RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/12102010_player/en/ Disclosure Timeline 2010-05-12 - Vulnerability reported to vendor 2010-12-10 - Coordinated public release of advisory Credit This vulnerability was discovered by: Anonymous - ------------------------------------------------------------------------------- RealNetworks RealPlayer Upsell.htm getqsval Remote Code Execution Vulnerability ZDI-10-276: December 10th, 2010 CVE ID CVE-2010-4388 CVSS Score 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) Affected Vendors RealNetworks Affected Products RealPlayer TippingPoint IPS Customer Protection TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 10589. For further product information on the TippingPoint IPS: http://www.tippingpoint.com Vulnerability Details This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of RealNetworks RealPlayer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the Upsell.htm component of the RealPlayer default installation. Due to a failure to properly sanitize user-supplied input, it is possible for an attacker to inject arbitrary code into the RealOneActiveXObject process via the getqsval function. This can be abused to bypass the Local Machine Zone security policy and load unsafe controls. Successful exploitation of this issue leads to remote code execution under the context of the RealPlayer application. Vendor Response RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/12102010_player/en/ Disclosure Timeline 2010-06-30 - Vulnerability reported to vendor 2010-12-10 - Coordinated public release of advisory Credit This vulnerability was discovered by: Anonymous - ------------------------------------------------------------------------------- RealNetworks RealPlayer Main.html Remote Code Execution Vulnerability ZDI-10-277: December 10th, 2010 CVE ID CVE-2010-4388 CVSS Score 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) Affected Vendors RealNetworks Affected Products RealPlayer TippingPoint IPS Customer Protection TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 10589. For further product information on the TippingPoint IPS: http://www.tippingpoint.com Vulnerability Details This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of RealNetworks RealPlayer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the Main.html component of the RealPlayer default installation. Due to a failure to properly sanitize user-supplied input, it is possible for an attacker to inject arbitrary code into the RealOneActiveXObject process. This can be abused to bypass the Local Machine Zone security policy and load unsafe controls. Successful exploitation of this issue leads to remote code execution under the context of the RealPlayer application. Vendor Response RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/12102010_player/en/ Disclosure Timeline 2010-07-20 - Vulnerability reported to vendor 2010-12-10 - Coordinated public release of advisory Credit This vulnerability was discovered by: Anonymous - ------------------------------------------------------------------------------- RealNetworks RealPlayer Custsupport.html Remote Code Execution Vulnerability ZDI-10-278: December 10th, 2010 CVE ID CVE-2010-4388 CVSS Score 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) Affected Vendors RealNetworks Affected Products RealPlayer TippingPoint IPS Customer Protection TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 10589. For further product information on the TippingPoint IPS: http://www.tippingpoint.com Vulnerability Details This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of RealNetworks RealPlayer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the Custsupport.html component of the RealPlayer default installation. Due to a failure to properly sanitize user- supplied input, it is possible for an attacker to inject arbitrary code into the RealOneActiveXObject process. This can be abused to bypass the Local Machine Zone security policy and load unsafe controls. Successful exploitation of this issue leads to remote code execution under the context of the RealPlayer application. Vendor Response RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/12102010_player/en/ Disclosure Timeline 2010-07-20 - Vulnerability reported to vendor 2010-12-10 - Coordinated public release of advisory Credit This vulnerability was discovered by: Anonymous - ------------------------------------------------------------------------------- RealNetworks RealPlayer Cook Codec Initialization Remote Code Execution Vulnerability ZDI-10-279: December 10th, 2010 CVE ID CVE-2010-4389 CVSS Score 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) Affected Vendors RealNetworks Affected Products RealPlayer TippingPoint IPS Customer Protection TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 10606. For further product information on the TippingPoint IPS: http://www.tippingpoint.com Vulnerability Details This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of RealNetworks RealPlayer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within how the application parses cook-specific data used for initialization. The application will use a length in a copy without verifying it being larger than the destination buffer. Successful exploitation can lead to code execution under the context of the application. Vendor Response RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/12102010_player/en/ Disclosure Timeline 2010-08-25 - Vulnerability reported to vendor 2010-12-10 - Coordinated public release of advisory Credit This vulnerability was discovered by: Damian Put - ------------------------------------------------------------------------------- RealNetworks RealPlayer ImageMap Remote Code Execution Vulnerability ZDI-10-280: December 10th, 2010 CVE ID CVE-2010-4392 CVSS Score 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) Affected Vendors RealNetworks Affected Products RealPlayer TippingPoint IPS Customer Protection TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 10290. For further product information on the TippingPoint IPS: http://www.tippingpoint.com Vulnerability Details This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of RealNetworks RealPlayer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within how the application decodes data for a particular mime type within a RealMedia file. When decoding the data used for rendering, the application will use the length of a string in an addition used to calculate the size of a buffer. The application will zero-extend it and then allocate. Due to the addition, the result of the calculation can be greater than 16-bits, and when the typecast occurs the result will be smaller than expected. When initializing this buffer, a buffer overflow will occur which can allow for code execution under the context of the application. Vendor Response RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/12102010_player/en/ Disclosure Timeline 2010-08-25 - Vulnerability reported to vendor 2010-12-10 - Coordinated public release of advisory Credit This vulnerability was discovered by: Sebastian Apelt & Andreas Schmidt (www.siberas.de) - ------------------------------------------------------------------------------- RealNetworks RealPlayer RMX Header Remote Code Execution Vulnerability ZDI-10-281: December 10th, 2010 CVE ID CVE-2010-4391 CVSS Score 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) Affected Vendors RealNetworks Affected Products RealPlayer TippingPoint IPS Customer Protection TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 10723. For further product information on the TippingPoint IPS: http://www.tippingpoint.com Vulnerability Details This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of RealNetworks RealPlayer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the applications support for parsing the RMX file format. When parsing the format, the application will explicitly trust 32-bits in a field used in the header for the allocation of an array. This can cause a buffer to be under-allocated and will cause a buffer overflow when initializing the array. This can lead to code execution under the context of the application. Vendor Response RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/12102010_player/en/ Disclosure Timeline 2010-08-25 - Vulnerability reported to vendor 2010-12-10 - Coordinated public release of advisory Credit This vulnerability was discovered by: Sebastian Apelt (www.siberas.de) - ------------------------------------------------------------------------------- RealNetworks RealPlayer RealPix Server Header Parsing Remote Code Execution Vulnerability ZDI-10-282: December 10th, 2010 CVE ID CVE-2010-4394 CVSS Score 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) Affected Vendors RealNetworks Affected Products RealPlayer TippingPoint IPS Customer Protection TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 10717. For further product information on the TippingPoint IPS: http://www.tippingpoint.com Vulnerability Details This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of RealNetworks RealPlayer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within RealPlayer's parsing of RealPix files. If such a file contains an image tag pointing to a remote server, the player will attempt to fetch the remote file. When parsing the response from the web server, the process blindly copies the contents of the Server header into a fixed length heap buffer. If an attacker provides a large enough string, critical pointers can be overwritten allowing for arbitrary code execution under the context of the user running the player. Vendor Response RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/12102010_player/en/ Disclosure Timeline 2010-09-24 - Vulnerability reported to vendor 2010-12-10 - Coordinated public release of advisory Credit This vulnerability was discovered by: AbdulAziz Hariri ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================