US CERT has issued an advisory following the release, late last week, of a critical patch from RealNetworks for seven vulnerabilities in its common RealPlayer software. CERT recommended users and administrators to review the advisory from Realnetworks to determine which RealPlayer products were affected and to patch any vulnerable systems.
The announcement came after RealNetworks, on Friday, issued a security update affecting advisory identified seven security holes affecting a number of versions of its RealPlayer, RealPlayer SP and RealPlayer Enterprise media players, which allow users to listen to music and watch video from their PC, Mac or Linux system.
Five of the holes identified as CVE-2010 2998,3747, 3749, 3750 and 3751 and were disclosed by researchers at HP/TippingPoint’s Zero Day Initiative, which pays independent security researchers for information about software vulnerabilities. A sixth hole, CVE-2010-2578, was discovered by Secunia Research and the seventh, CVE-2010-3748, by a researcher at Microsoft’s Vulnerability Research lab (MSVR).
Many of the vulnerabilities allow attackers to place and run malicious code on systems running vulnerable versions of RealPlayer with or without user interaction, using specially crafted media files or by fooling users into visiting malicious Web sites that will trigger the flaws.
Many recent versions of RealPlayer and RealPlayer Enterprise for Windows contain all or most of the reported holes, including RealPlayer Version 11 and 11.1, RealPlayer SP 1.0 through 1.1.4 and RealPlayer Enterprise 2.1.2.
RealNetworks advises users to patch vulnerable systems immediately to safeguard against attack..