April 2, 2003 12:07 PM PST

Holes found in RealPlayer, QuickTime

By Sandeep Junnarkar
Staff Writer, CNET News

Share
- Digg
- Del.icio.us
- Reddit
- Facebook
Email
Print

Related Stories: Streaming video hits prime time
March 31, 2003; From serenade to security hole?
February 27, 2002

update Just as streaming video and audio are hitting the mainstream, researchers have sounded the alarm about serious security holes in two popular digital media players.

The vulnerabilities have cropped up in RealNetworks' RealPlayer and Apple Computer's QuickTime. While unrelated, the weak spots could allow an intruder to execute damaging arbitrary code on a victim's computer. In both cases, updates are available to remedy the problem.

Security experts are increasingly concerned about hackers exploiting digital media players, which are designed to accept Web addresses and scripts--a key route for self-propagating, hostile code.

The current vulnerabilities come at a time when streaming content has gained momentum, providing news and entertainment to a growing number of people accessing the Internet via broadband connections.

RealNetworks has issued an advisory, warning that by creating a specifically corrupted Portable Network Graphics file, an attacker could cause "heap corruption." Doing so would allow the attacker to execute code on the victim's machine. The vulnerable software uses an older data-compression library within the RealPix component of the player, leaving the system vulnerable. The company said it has fixed the vulnerability by using an updated version of the data-compression library.

RealNetworks said it had not received any reports of anyone's computer actually being attacked via this exploit.

The vulnerability affected the following popular versions of its digital media players: RealOne Player, RealOne Player v2 for Windows, RealPlayer 8 for Windows, RealPlayer 8 for Mac OS 9, RealOne Player for Mac OS X, RealOne Enterprise Desktop Manager and RealOne Enterprise Desktop

The Helix DNA Client was not affected, RealNetworks noted.

Meanwhile, security firm iDefense warned this week that it has discovered an exploitable buffer overflow vulnerability in Apple's QuickTime Player that could affect computers with Microsoft's Windows but not those with Apple's Macintosh OS.

Buffer overflows occur when an application is flooded with information and as a result cannot handle memory correctly. By causing a buffer overflow, attackers can insert their own code into the execution of the application.

In this case, a URL containing 400 characters will overrun the allocated space on the system, allowing the attacker to assume control of the system, iDefense said. All the attacker needs to do is to convince a Web surfer to click on a specially crafted URL.

iDefense said that QuickTime Player versions 5.x and 6.0 for Windows are vulnerable. Apple recommended downloading its QuickTime 6.1, which addresses this vulnerability.

Latest tech news headlines

Google upgrades Gmail for IE 6 users
Posted in Webware by Stephen Shankland

September 7, 2008 10:07 PM PDT
TI does energy efficiency on a chip
Posted in Green Tech by Martin LaMonica

September 7, 2008 9:00 PM PDT
Intel ships low-power chips for servers
Posted in Nanotech: The Circuits Blog by Brooke Crothers

September 7, 2008 9:00 PM PDT

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Inside CNET News

Scroll Left Scroll Right

Nanotech: The Circuits Blog
Intel ships low-power chips for servers
New server chips from processor giant draw as little as 12.5 watts per core.
Gallery
Photos: Top 10 reviews of the week
Here are CNET Reviews' 10 favorite items from the past week, including the TiVo HD XL, Sony Cyber-shot DSC-H50, and the Dish Network's newest digital TV converter box.
News - Apple
Apple watchers spot 'iPod Nano' pix, iTunes hints
The rumor mill has long been predicting a longer, leaner new version of the iPod Nano, and now it's conjuring up some pictures.
Coop's Corner
Chris Shipley 1, Internet lynch mob 0
Demo's impresario goes public with a tart and smartly written riposte to the shoot-from-the-lip crowd.
Video
Katie Couric reflects on first Webcast
The political conventions are over and so are CBS Evening News anchor Katie Couric's first series of Webcasts. CNET's Kara Tsuboi sat down with Couric on the final night of the Republican National Convention to discuss what she liked about Webcasting, some of her most memorable guests, and whether TV news will still be around by the next round of conventions.
Webware
Google upgrades Gmail for IE 6 users
The online e-mail application is faster for those using the 7-year-old browser and gets features already available to more modern browsers, Google said.
Video
YouTube plays party politics
During the presidential campaigning four years ago, YouTube didn't even exist. Now it's a tool candidates must master to get their message across. CNET's Kara Tsuboi stops by the YouTube upload booths at the Democratic and Republican conventions to find out why Google's video site has such a big presence in Denver and St. Paul, Minn.
News - Gaming and Culture
Are Demo and TechCrunch50 fragmenting their audiences?
With both events scheduled to start Monday, many press, as well as venture capitalists and others are having to choose which one to attend.
News - Cutting Edge
Execs predict next Google-like tech
On eve of company's 10-year anniversary, researchers and business pundits speculate about what technologies might someday have as much impact as Google.
Gallery
Images: The art of 'Spore' prototypes
Will Wright and his Maxis team worked on dozens of prototypes to test the elements of their soon-to-be-released evolution game. Here's a sampling.
Crave
Fry's Electronics leaks more slim Zune details
Features include a 'Device Cloud,' customizable music channels, and free games.
Green Tech
TI does energy efficiency on a chip
Its line of Piccolo microcontrollers can reduce power consumption significantly of home appliances, hybrid cars, LED lighting, and even solar panels.