__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN RealNetworks Vulnerabilities [07252008] August 20, 2008 16:00 GMT Number S-368 ______________________________________________________________________________ PROBLEM: RealPlayer contains a buffer overflow vulnerability that may allow an attacker to execute code on a vulnerable system. PLATFORM: Windows RealPlayer 11 (11.0.0 - 11.0.2 builds 6.0.14.738 - 6.0.14.802 RealPlayer 10.5 (6.0.12.1040-6.0.12.1663, 6.0.12.1698, 6.0.12.1741 RealPlayer 10 RealPlayer Enterprise MAC Mac RealPlayer 10.1 (10.0.0.396 - 10.0.0.503) Mac RealPlayer 10 (10.0.0.305 - 352) Linux Linux RealPlayer 10 DAMAGE: Execute arbitrary code. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. BY convincing a user to visit a website, a ASSESSMENT: remote attacker may be able to execute arbitrary code. ______________________________________________________________________________ CVSS 2 BASE SCORE: 7.5 TEMPORAL SCORE: 6.2 VECTOR: (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C) ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-368.shtml ORIGINAL BULLETIN: http://service.real.com/realplayer/security/07252008_player/en/ ADDITIONAL LINKS: http://www.zerodayinitiative.com/advisories/ZDI-08-046/ http://www.kb.cert.org/vuls/id/298651 http://www.kb.cert.org/vuls/id/461187 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2007-5400 ______________________________________________________________________________ [***** Start 07252008 *****] RealNetworks, Inc. Releases Update to Address Security Vulnerabilities. Updated August 14, 2008 RealNetworks is making available product upgrades that contain security bug fixes. RealNetworks is updating the RealPlayer 11 build (11.0.3) announced on July 25th to include components for localized versions of the release that were not included in the original update. The new build, known as RealPlayer 11.0.3a, should be installed for any non-U.S. English versions of RealPlayer 11. RealPlayer 11.0.3 of the U.S. language version did address all security bug fixes as intended from the July 25th post. RealNetworks recommends that if you have installed a product version listed in the table below, you upgrade your product to the current version of the product. Affected Software: (Please see below for details of potential vulnerabilities). Windows Software Affected? Language Update Needed? RealPlayer 11 (Version11.0.3 build 6.0.14.806 for US-EN and version 11.0.3a for all others) No All Supported No RealPlayer 11 (11.0.0 - 11.0.2 builds 6.0.14.738 - 6.0.14.802 By #1 All Supported Yes RealPlayer 10.5 (6.0.12.1675) * No All Supported No RealPlayer 10.5 (6.0.12.1040-6.0.12.1663, 6.0.12.1698, 6.0.12.1741 By all All Supported Yes RealPlayer 10 By all All Supported Yes RealPlayer Enterprise By all English Yes Note: To see your Player version number (6.0.x.xxxx), select Help > About in the RealPlayer menu. * due to Windows Vista compatibility issues, version numbers are now not sequential for RealPlayer 10.5 Software Affected? Language Update Needed? Rhapsody 4 No All Supported No Note: To see your Rhapsody version number (build 0.xxx), select Help > About in the Rhapsody menu. Mac Software Affected? Language Update Needed? Mac RealPlayer 11 No All Supported No Mac RealPlayer 10.1 (10.0.0.396 - 10.0.0.503) By #3 All Supported Yes Mac RealPlayer 10 (10.0.0.305 - 352) By #3 All Supported Yes Note: To see your Player version number (10.0.0.xxx), select About in the RealPlayer menu. Linux Software Affected? Language Update Needed? Linux RealPlayer 11 No All Provided No Helix Player (11.*) No All Provided No Linux RealPlayer 10 By #3 All Provided Yes Helix Player (10.*) No All Provided No Note: To see your Player version number (10.0.0.xxx), select Help > About in the RealPlayer menu. Handheld Devices Software Affected? Language Update Needed? Nokia Series60 Handsets No English No RealPlayer for Palm No English No RealOne Player for Palm No English No Instructions Windows Players: If you are on Windows XP orVista, please click here to download RealPlayer 11 from the web. If you are on Windows 2000, Windows ME or Windows 98SE, you may get the security updates in the most recent version of RealPlayer 10.5 by following the instructions below. RealOne Player (English only), RealOne Player V2, RealPlayer 10 and RealPlayer 10.5 customers require a full download to correct this issue. Please use the following steps to upgrade your Player: 1. In the Tools menu select Check for Update. 2. Select the box next to the "RealPlayer 10.5 with Harmony? Technology" component. Click Install to download and install the update RealPlayer 8 (version 6.0.9.584) customers please use the following steps to upgrade your Player: 1. Go the Help menu. 2. Select Check for Update. 3. Select the box next to the "RealPlayer 10.5 with Harmony? Technology" component. 4. Click Install to download and install the update. RealPlayer Enterprise Solution: "RealPlayer Enterprise product updates are available on your PAM site. For additional information regarding RealPlayer Enterprise please click here." RealPlayer for Mac OS X: RealPlayer 10 for Mac OS X customers need to get the latest player to address this security issue. Please click here to upgrade your RealPlayer 11. Linux Players: Please click here to get an updated RealPlayer 11 for Linux. Details for Potential Vulnerabilities: Vulnerability 1: The identified vulnerability is a RealPlayer ActiveX controls property heap memory corruption. CVE-2008-1309 Vulnerability 2: The identified vulnerability is a Local resource reference vulnerability in RealPlayer. CVE-2008-3064 Vulnerability 3: The identified vulnerability is a RealPlayer SWF file heap-based buffer overflow. CVE-2007-5400 Vulnerability 4: The identified vulnerability is a RealPlayer ActiveX import method buffer overflow. CVE-2008-3066 Acknowledgements: RealNetworks would like to acknowledge Dyon Balding, Elazar Broad, CERT/CC, Haifei Li and Peter Vreugdenhil working with TippingPoint for bringing these exploits to our attention as well as those who subsequently worked with RealNetworks to correct the vulnerabilities. Warranty: RealNetworks Inc. endeavors to provide you with the highest quality products and services, but cannot guarantee, and does not warrant, that the operation of any RealNetworks product will be error-free, uninterrupted or secure. Please see your original license agreement for details of our limited warranty or warranty disclaimer. [***** End 07252008 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of RealNetworks, Inc. for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) S-213: Nukedit 'email' Parameter Vulnerability S-214: SurgeMail and WebMail 'Page' Command Vulnerability S-215: Symantec Backup Exec Scheduler ActiveX Control Multiple Vulnerabilities S-216: Juniper Networks Secure Access 2000 'rdremediate.cgi' Vulnerability S-217: Drupal Multiple HTML Vulnerabilities S-218: gd Security Update S-219: Juniper Networks Secure Access 2000 Web Root Path Vulnerability S-220: PHP-Nuke My_eGallery Module 'gid' Parameter Vulnerability S-221: Learn2 STRunner ActiveX Control Vulnerabilities S-222: Evolution Security Update