__________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                            RealPlayer Vulnerability
                  [RealNetworks, Inc. October 26, 2004 Update]

October 27, 2004 18:00 GMT                                        Number P-023
______________________________________________________________________________
PROBLEM:       A vulnerability was discovered in RealNetworks Real Player for 
               Windows platform. The vulnerability involves using a 
               third-party skin file. Skins are colorful, customized and 
               interchangeable sets of graphics, which allow users to 
               continually change the look of an application such as 
               RealPlayer. 
PLATFORM:      Windows: RealPlayer 10.5 (6.0.12.1056), 
                                   10.5 (6.0.12.1053), 
                                   10.5 (6.0.12.1040), 
                                   10.5 Beta (6.0.12.1016), 
                        RealPlayer 10, 
                        RealOne Player v2, 
                        RealOne Player v1 
               (RealPlayer for Mac, Linux and handheld devices are not affected) 
DAMAGE:        A buffer overrun may occur in a third-party compression 
               library, DUNZIP32.DLL. Skin files from RealNetworks' site are 
               carefully examined before posting for viruses and exploits. To 
               exploit this vulnerability, a user must download a skin file 
               from a malicious website. 
SOLUTION:      Install the available security update. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. If a remote intruder can coerce a user to 
ASSESSMENT:    install a malicious skin file he can execute arbitrary code as 
               the user. Skin files obtained directly from RealNetworks have 
               been checked for malicious code. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/p-023.shtml 
 ORIGINAL BULLETIN:  http://www.service.real.com/help/faq/security/041026_player/EN/ 
______________________________________________________________________________
[***** Start RealNetworks, Inc. October 26, 2004 Update *****]

RealNetworks, Inc. Releases Update to Address Security Vulnerabilities.

Updated October 26, 2004

RealNetworks, Inc. has addressed a recently discovered security vulnerability 
that offered the potential for an attacker to run arbitrary or malicious code 
on a customer's machine. RealNetworks has received no reports of machines 
compromised as a result of the now-remedied vulnerability. RealNetworks takes 
all security vulnerabilities very seriously.

The specific exploit was:

    * To fashion a malicious skin file to cause a buffer overflow which could 
      have allowed an attacker to execute arbitrary code on a customer's machine. 
      The buffer overrun was designed to occur in a 3rd-party compression library, 
      DUNZIP32.DLL.

      Skins files from RealNetworks' site are carefully examined before posting 
      for viruses and exploits.

Affected Software:

    Windows
    Software 	                  Affected? 	Language 	Update Available?
    RealPlayer 10.5 (6.0.12.1056) 	No 	All Supported 	Not required
    RealPlayer 10.5 (6.0.12.1053) 	Yes 	All Supported 	Yes
    RealPlayer 10.5 (6.0.12.1040) 	Yes 	English 	Yes
    RealPlayer 10.5 Beta (6.0.12.1016) 	Yes 	English 	Requires upgrade
    RealPlayer 10 	                Yes 	All Supported 	Yes
    RealOne Player v2 	                Yes 	All Supported 	Yes
    RealOne Player v1 	                Yes 	English 	Requires upgrade
    RealPlayer 8 	                No 	All Supported 	Not required
    RealPlayer Enterprise 	        No 	English 	Not required

    Note: To see your Player version number (6.0.12.xxxx), select Help > 
          About in the Player menus.

    Mac
    Software 	              Affected? 	Language 	Update Available?
    Mac RealPlayer 10 	         No 	    All Supported       Not required
    Mac RealPlayer 10 Beta 	 No 	    English 	        Not required
    Mac RealOne Player 	         No 	    English 	        Not required

    Linux
    Software 	             Affected? 	Language 	Update Available?
    Linux RealPlayer 10 	No 	English 	Not required
    Helix Player 	        No 	English 	Not required

    Handheld Devices
    Software 	               Affected?  Language 	Update Available?
    Nokia Series60 Handsets 	No 	  English 	Not Required
    Helix Player for Symbian 	No 	  English 	Not Required
    RealPlayer for Palm 	No 	  English 	Not Required
    RealOne Player for Palm 	No 	  English 	Not Required


Workaround:

    To ensure that your Player is protected, we recommend installing the 
    available updates.


UPDATES

Windows Players:

    RealOne Player (English only) and RealPlayer 10.5 Beta (English only) require 
    a full download to correct this issue. Please click here or use the following 
    steps to upgrade your Player:

       1. In the Tools menu select Check for Update.
       2. Select the box next to the "RealPlayer 10.5 with Harmony™ Technology" 
          component.
       3. Click Install to download and install the update.

    RealOne Player v2, RealPlayer 10, and RealPlayer 10.5 (Final Release) customers 
    please click here or use the following steps to update your Player:

       1. In the Tools menu select Check for Update.
       2. Select the box next to the "Security Update - Skin File Overflow" component.
       3. Click Install to download and install the update.

German
English
Spanish
French
Italian
Portuguese
Japanese
Korean
Simplified Chinese
Traditional Chinese

Acknowledgements:

    RealNetworks would like to acknowledge eEye Digital Security and John Heasman 
for bringing this exploit to our attention as well those who subsequently worked
with RealNetworks to correct the vulnerability.

Warranty:

    RealNetworks Inc. endeavors to provide you with the highest quality products 
and services, but cannot guarantee, and does not warrant, that the operation of 
any RealNetworks product will be error-free, uninterrupted or secure. Please see 
your original license agreement for details of our limited warranty or warranty 
disclaimer.

[***** End RealNetworks, Inc. October 26, 2004 Update *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of RealNetworks, Inc. for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

P-013: Macromedia JRun Server Vulnerabilities
P-014: CUPS Information Leak
P-015: Libtiff Vulnerabilities
P-016: Sun FTP Daemon of Heimdal is Vulnerable to Race Conditions
P-017: Sun Security Vulnerability When Using LDAP in Conjunction with RBAC
P-018: Red Hat Update MySQL Packages Fix Security Issues and Bugs
P-019: Red Hat Updated CUPS Packages Fix Security Issues
P-020: VERITAS NetBackup (tm) Java GUI Vulnerability
P-021: HP Serviceguard Vulnerability
P-022: QuickTime for Windows Vulnerability