TUCoPS :: Web :: General :: n-066.txt

RealPlayer PNG Deflate Heap Corruption Vulnerability (CIAC N-066)


                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___

                             INFORMATION BULLETIN

              RealPlayer PNG Deflate Heap Corruption Vulnerability
                 [RealNetworks Security Update March 27, 2003]

March 28, 2003 20:00 GMT                                          Number N-066
PROBLEM:       A vulnerability has been found in the way that ealPlayer 
               decompresses PNG (Portable Network Graphics) files. 
SOFTWARE:      * RealOne Player and RealOne Player v2 for Windows 
                 (all language versions)
               * RealPlayer 8 for Windows (all language versions) 
               * RealPlayer 8 for Mac OS 9 
               * RealOne Player for Mac OS X  
               * RealOne Enterprise Desktop Manager 
	       * RealOne Enterprise Desktop (all versions) 
DAMAGE:        If exploited, this vulnerability allows an attacker to execute 
               arbitrary code and obtain a remote command shell with those 
               privileges of the user running RealPlayer. 
SOLUTION:      Apply updates as stated in RealNetworks Security Update 
VULNERABILITY  The risk is HIGH. RealPlayer is a popular program installed on 
ASSESSMENT:    most operating systems for live video and audio feeds over the 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/n-066.shtml 
 ORIGINAL BULLETIN:                                                           
 ADDITIONAL LINKS:   http://www.securityfocus.com/advisories/5187 

[***** Start RealNetworks Security Update March 27, 2003 *****]

RealNetworks Releases Security Update to Address RealOne Player, RealPlayer 
Security Vulnerabilities.

Updated March 27, 2003 

On March 7, 2003, a security exploit affecting RealOne Player and RealPlayer 8 
was brought to the attention of RealNetworks. 

The specific exploit was:

* By creating a specifically corrupted PNG (Portable Network Graphics) file, 
  it is possible to cause heap corruption to occur, allowing an attacker to 
  execute arbitrary code on a user's machine.

While we have not received reports of anyone actually being attacked with this 
exploit, all security vulnerabilities are taken very seriously by RealNetworks. 
RealNetworks has found and fixed the problem.

This vulnerability was due to the usage of an older, vulnerable version of a 
data-compression library within the RealPix component of the Player. The 
vulnerability was fixed by using an updated (non-vulnerable) version of this 
data-compression library in RealPix.

In addition to fixing the reported vulnerability, RealNetworks performed a 
review of all of the RealOne Player source code to identify other areas where 
this data-compression library is used. As a result of this review, several 
additional Player components have also been fixed, and are included in the 
provided updates.

Affected Software:

RealOne Player and RealOne Player v2 for Windows (all language versions), 
RealPlayer 8 for Windows (all language versions), RealPlayer 8 for Mac OS 9, 
RealOne Player for Mac OS X, RealOne Enterprise Desktop Manager and 
RealOne Enterprise Desktop (all versions). 

The Helix DNA Client is not affected by this vulnerability.

To ensure that your Player is protected, we recommend installing the updates 


Windows Players:
Please use the following steps to update your RealOne Player and RealPlayer8:
    * RealOne Player (, RealOne Player version 2 (

1. Go to the Tools menu. 
2. Select "Check for Update". 
3. Select the box next to the "Security Update - March 2003" component. 
4. Click the Install button to download and install the update. 

   * RealPlayer 8 (version

1. Go to the Help menu. 
2. Select "Check for Update". 
3. Select the box next to the  "Security Update - March 2003" component. 
4. Click the Install button to download and install the update. 

RealOne Player for OS X:
Please go to http://forms.real.com/real/realone/mac.html to download an 
updated RealOne Player. 

RealPlayer 8 for MacOS 9 (version
Please click here to download the update archive, and then follow these 
steps to install the updated components:

1. Decompress the update archive using Stuffit Expander. 
2. Close (quit) the RealPlayer if currently running.
3. Copy the following update files from the archive

	* pxpf60.dll 
	* pxpr60.dll 
	* pxgr60.dll 
	* pxcpng60.dll
	* httpfsys60.dll 
	* swfrend60.dll 

to the System Folder:Application Support:Real:Plugins folder, which can be 
opened through the following -

	* Open the System Folder 
	* Open the Application Support folder within the System Folder
	* Open the Real folder within the Application Support folder
	* Open the Plugins folder with the Real folder 

4. Select "Okay" when asked to replace older items with the same names.

RealOne Enterprise Products:
  Updates for the RealOne Desktop Manager and RealOne Enterprise Desktop will 
  be available within the next week. This page will be updated at that time to 
  include the appropriate links. 

Other Player versions:
  Users of other versions of the Player, including

	* RealOne Player version 2 (versions thru 
	* RealPlayer 8 (prior to version, 
	* RealPlayer 7, and 
	* RealPlayer G2 
are strongly encouraged to first upgrade to the newest version of the RealOne 
Player, and then follow the above security update instructions.

   The vulnerabilities were discovered with the help of Carlos Sarraute and 
   Juliano Rizzo of Core Security Technologies. 

While RealNetworks endeavors to provide you with the highest quality products 
and services, we cannot guarantee and do not warrant that the operation of 
any RealNetworks product will be error-free, uninterrupted or secure. See 
your original license agreement for details of our limited warranty or 
warranty disclaimer. 

[***** End RealNetworks Security Update March 27, 2003 *****]


CIAC wishes to acknowledge the contributions of RealNetworks, SecurityFocus, 
and CORE Security Technologies for the information contained in this bulletin.

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-056: Red Hat Updated 2.4 Kernel Fix for ptrace Vulnerability
N-057: Cryptographic weaknesses in Kerberos v4 protocol
N-058: Vulnerabilities in Webmin/Usermin
N-059: Integer overflow in Sun RPC XDR library routines
N-060: Vulnerabilities in Tomcat 3.3.1
N-061: OpenSSL Timing-based Attacks on RSA Keys
N-062: MIT krb5 Buffer overrun and underrun in Principal Name Handling
N-063: Microsoft Windows Script Engine Vulnerability
N-064: Sun Buffer Overflow in Web Connector Module of Application Server
N-065: Multiple Vulnerabilities in Lotus Notes and Domino

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH