Date: 21 May 2012
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2012.0075
RealNetworks, Inc. Releases Update to Address Security Vulnerabilities.
21 May 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: RealNetworks RealPlayer
Operating System: Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2012-2411 CVE-2012-2406 CVE-2012-1904
Member content until: Wednesday, June 20 2012
OVERVIEW
A number of vulnerabilities have been identified in Windows RealPlayer
15.0.3.37 and prior.
IMPACT
The vendor has provided the following information about the
vulnerabilities:
"CVE-2012-1904
RealPlayer - MP4 file handling memory corruption
Affected software: Windows RealPlayer 15.0.3.37 and prior.
Credit to Craig Young of nCircle for reporting this issue.
CVE-2012-2406
RealPlayer - RealMedia ASMRuleBook parsing can allow remote code execution
Affected software: Windows RealPlayer 15.0.3.37 and prior.
Credit to Tom Gallagher working with the Beyond Security's SecuriTeam Secure Disclosure for reporting this issue.
CVE-2012-2411
RealPlayer - RealJukebox Media parser buffer overrun
Affected software: Windows RealPlayer 15.0.3.37 and prior.
Credit to Sebastian Apelt for reporting this issue." [1]
MITIGATION
The vendor recommends updating to the latest version. [1]
REFERENCES
[1] RealNetworks, Inc. Releases Update to Address Security
Vulnerabilities.
http://service.real.com/realplayer/security/05152012_player/en/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBT7mpRu4yVqjM2NGpAQJ4pQ/8CBxBGJAZ30W8vSiz4N+gHCnRFR//xHav
E2iYLDmjnuWrcmbFa7wNiprEGOUJgMTxT0KpJIfDf08NvRJdhRDRHuRgawXKywCK
DQoBACbdfZYkyo+dprakAJsEpcr8YuKDcdb1/pLvp3EaQxkffxRro/WZbUdeIP9V
F2GgMpYtLvn+lm/AKHuOVeN3FH2nHUY9I24trLT/FdvlHUu0GRjaam33InnyyTh6
6JqNhdCSuowN8uNU4PnMn3q7DAgUJgMRCWTSjlDF+NePvtlB+TNmXsO8gcQq+zAf
Rb/IdILpPvIDs47uK0KvobxiHx3lD4GCZ4S+wbVbp8409GNsR/Q85b1r7dH+iN7A
jvgBTDR4nCPHI2RpNB2wRkbrEC1MX8VJ0lATx1wwjB4a5JHfkm2Xy0FBjZvFy5K2
HztA2BRoTNQptfIUVkCyN6wY/7qxl7mniryIftKik5Ds6txAhw40f/FtbseuS8Zj
vcWp+smgMUkFvCivekuUotXSQ2E3dKsM2ME6g8ecNn22ekcBZ0Irca2tyV+x2vyL
erX6l43WFoCwzTvtf65DpraINLDFfF45Z/hMbc7wKW7l/S99KOTFUhSKkv6f8BJZ
O8fMgteA+j7p4zhMeSesbInHtHPUSbS6tbpGCrd+yEgDp4KvAMwMbcK5aEg/Mutf
NqSOjmtMvXs=
=YZRT
-----END PGP SIGNATURE-----
|