US CERT Warns of RealPlayer Flaw
The US-CERT, the operational arm of the National Cyber Security Division at the Department of Homeland Security, first published its warning Wednesday. The warning came a day after Evageny Legerov, chief technology officer at the Russian security company Gleg, released its findings on the RealPlayer stack overflow vulnerability, which the company claims was detected during a plain source code audit. The exploit was written and published to the company's VulnDisco SA Program on Dec. 16, 2007.
The recently detected vulnerability affects the latest version 11 of RealPlayer, a comprehensive multimedia software program, running on Windows XP, according to Gleg. The security company posted a Flash demonstration of the error on its Web site, but so far has not released any technical details of the flaw.
Security researchers say that RealPlayer is a complex application with a history of errors. "It has had a lot of vulnerabilities in the past and will have a lot in the future," a Gleg spokesperson said via e-mail.
If exploited, the vulnerability could be used by attackers to either completely shut down or take control of an affected machine or network. So far, there are no reports of the exploit being loose and in the wild, security experts say.
RealPlayer representatives say they do not yet know what part of the program the vulnerability affects. The company also asserts that so far Gleg has not submitted any code or files for the company to test.
"Right now we're waiting to hear back from them to see what they will do," a RealPlayer spokesperson said. "As of this moment, nobody has seen the code."
Security experts say that individuals will still be able to use RealPlayer as before, but recommend that they install updated antivirus software, firewall and buffer overflow protection.
U.S. CERT did not immediately respond to calls from CRN.