Security Holes in RealPlayer, QuickTime

Researchers are warning of serious security holes in two popular digital
media players — RealNetworks’ RealOne and Apple’s QuickTime — that have put
millions of systems at risk.

The vulnerabilities, which are not related, affect the way the media
players read certain file types and could leave susceptible systems open to

RealNetworks confirmed the security hole in its
flagship media player, which has enjoyed widespread adoption among digital
media enthusiasts. Affected versions of the player include the RealOne
Player and RealOne Player v2 for Windows, RealPlayer 8 for Windows,
RealPlayer 8 for Mac OS 9, RealOne Player for Mac OS X, RealOne Enterprise
Desktop Manager and RealOne Enterprise Desktop.

The company said the Helix DNA Client was not affected by this

In an advisory, RealNetworks warned that a hacker could create a
specifically corrupted Portable Network Graphics (PNG) file to cause heap

A successful exploit of the flaw would an attacker to execute arbitrary
code on a user’s machine, the company cautioned, noting the vulnerability
was due to the usage of an older, vulnerable version of a data-compression
library within the RealPix component of the Player.

“In addition to fixing the reported vulnerability, RealNetworks performed
a review of all of the RealOne Player source code to identify other areas
where this data-compression library is used. As a result of this review,
several additional Player components have also been fixed, and are included
in the provided updates,” the company said, urging users to immediately
install the updates to all the flawed media players.

Separately, security research firm iDefense warned of an exploitable
buffer overflow in QuickTime, the media player owned by Apple Computer.

An alert warned that a URL containing 400 characters will overrun the allocated space
on the stack overwriting the saved instruction pointer (EIP) and open the
door for an attacker to redirect the flow of control and execute arbitrary

“Any remote attacker can compromise a target system if he or she can
convince a user to load a specially crafted exploit URL. Upon successful
exploitation, arbitrary code can be executed under the privileges of the
user who launched QuickTime,” the company said.

QuickTime Player versions 5.x and 6.0 for the Microsoft Windows platform
are vulnerable but QuickTime for MacOS did not contain the vulnerability,
iDefense said. Apple has released QuickTime 6.1
which patches the flaws.