# RealOne Player / RealPlayer / Helix Player Multiple Vulnerabilities (Highly critical)



## jgvernonco (Sep 13, 2003)

RealOne Player / RealPlayer / Helix Player Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA12672

VERIFY ADVISORY:
http://secunia.com/advisories/12672/

CRITICAL:
Highly critical

IMPACT:
Manipulation of data, System access

WHERE:
From remote

SOFTWARE:
RealPlayer 8
http://secunia.com/product/665/
RealPlayer 10
http://secunia.com/product/2968/
RealOne Player v2
http://secunia.com/product/2378/
RealOne Player v1
http://secunia.com/product/666/
Helix Player 1.x
http://secunia.com/product/3970/
RealPlayer Enterprise
http://secunia.com/product/3342/

DESCRIPTION:
Multiple vulnerabilities have been reported in RealOne Player,
RealPlayer, and Helix Player, which can be exploited by malicious
people to compromise a user's system and delete files.

1) An unspecified error when running local RM files can potentially
be exploited to execute arbitrary code.

The vulnerability has been reported in:
* RealPlayer 8 / 10 / 10.5 Beta (6.0.12.1016) / 10.5 (6.0.12.1040) /
Enterprise on Windows
* RealOne Player v1, v2 on Windows
* Mac RealPlayer 10 Beta and Mac RealOne Player
* Linux RealPlayer 10 and Helix Player on Linux

2) A problem with malformed calls can be exploited to execute
arbitrary code by embedding the player on a malicious website and
making specially crafted calls.

The vulnerability has been reported in RealPlayer 10 / 10.5 Beta
(6.0.12.1016) / 10.5 (6.0.12.1040) and RealOne Player v1, v2 on
Windows.

3) An unspecified error allows malicious websites and media files to
delete arbitrary local files.

The vulnerability has been reported in RealPlayer 10 / 10.5 Beta
(6.0.12.1016) / 10.5 (6.0.12.1040) and RealOne Player v1, v2 on
Windows.

SOLUTION:
Apply updates (see the original vendor advisory).

PROVIDED AND/OR DISCOVERED BY:
John Heasman and Marc Maiffret.

ORIGINAL ADVISORY:
http://www.service.real.com/help/faq/security/040928_player/EN/


----------

