Critical vulnerability in RealPlayer eliminated

25th October 2007

RealNetworks gave a quick respond to Symantec`s report on detecting in the popular player RealPlayer a critical vulnerability.
RealNetworks has already released a patch for RealPlayer 10.5 and RealPlayer 11 Beta available for download on the company`s blog and on the updates service of RealNetworks products. Users of RealOne Player, RealOne Player 2 and 10 need to download player`s versions 10.5 or 11 beta and install the patch. The vulnerability does not affect owners of Macintosh and Linux, as well as RealPlayer 8 and older versions of the player.
Exploitation of vulnerability is possible due to an error in an ActiveX component, so Internet Explorer is required to perform an attack. The attack is carried out by the clipboard overflow, followed by an opportunity to launch a malicious code remotely. The found vulnerability occurred to be rather old: according to Symantec, it has been used several times for short attacks in the past two years. If you have no desire to install the update you can eliminate the vulnerability by disabling ActiveX in IE.