7885240 2002-01-24 23:04 -0800 /27 rader/ Dave Cotter <dcotter@real.com> Sänt av: joel@lysator.liu.se Importerad: 2002-01-25 21:07 av Brevbäraren Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Mottagare: Bugtraq (import) <20686> Ärende: Potential RealPlayer 8 Vulnerability ------------------------------------------------------------ From: Dave Cotter <dcotter@real.com> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <5.0.0.25.0.20020124221802.0551b1b0@mail.real.com> On January 17th, 2002, a security exploit affecting RealPlayer 8 was brought to the attention of RealNetworks. The specific exploit, commonly known as a "buffer overrun", could allow an attacker to run arbitrary code on a victim's machine. We have not yet received reports of anyone actually being attacked with this exploit, however, a fix will be made available by end of day Friday via the RealPlayer AutoUpdate Service, and for Enterprise RealPlayer users at: http://www.service.real.com/help/faq/security/index.html. RealNetworks would like to thank Tim Morgan for reporting this issue to us and working with us to protect customers from unauthorized access to sensitive or proprietary information. (7885240) /Dave Cotter <dcotter@real.com>/(Ombruten) 7885295 2002-01-24 19:17 -0800 /25 rader/ <tmorgan-security@kavi.com> Sänt av: joel@lysator.liu.se Importerad: 2002-01-25 21:33 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <20691> Ärende: RealPlayer Buffer Overflow [Sentinel Chicken Networks Security Advisory #01] ------------------------------------------------------------ From: tmorgan-security@kavi.com To: bugtraq@securityfocus.com Message-ID: <20020124191741.B13797@kavi.com> Hello bugtraq, There are buffer overflows in RealPlayer's header reading code. To my knowledge, no exploit has been developed for it, but it appears possible. Since the press already has a hold of it: http://www.newsbytes.com/news/02/173936.html I might as well release this now. The official advisory can be found at: http://www.sentinelchicken.com/advisories/realplayer/ Real has told me there should be a patch out sometime after noon tomorrow (Pacific time). thanks, tim (Not a security expert.) (7885295) / <tmorgan-security@kavi.com>/------------