Multiple vulnerabilities have been reported in RealOne Player, RealPlayer, and Helix Player, which can be exploited by malicious people to compromise a user's system and delete files.

1) A boundary error within "pnen3260.dll" when handling ".rm" movie files can be exploited to cause an integer overflow, which leads to a heap-based buffer overflow. This can be exploited via a SMIL file calling a specially crafted ".rm" movie file with a value in the VIDORV30 data chunk length field set to 0xFFFFFFF8 - 0xFFFFFFFF.

The vulnerability has been reported in:
* RealPlayer 8 / 10 / 10.5 Beta (6.0.12.1016) / 10.5 (6.0.12.1040) / Enterprise on Windows
* RealOne Player v1, v2 on Windows
* Mac RealPlayer 10 Beta and Mac RealOne Player
* Linux RealPlayer 10 and Helix Player on Linux

2) A boundary error in the "HandleAction()" function of the RealPlayer ActiveX component can be exploited to cause a buffer overflow by passing two overly long arguments to the "ShowPreferences()" method.

Successful exploitation requires that a user is tricked into visiting a malicious web site or opening a specially crafted skin file.

The vulnerability has been reported in RealPlayer 10 / 10.5 Beta (6.0.12.1016) / 10.5 (6.0.12.1040) and RealOne Player v1, v2 on Windows.

3) An input validation error within the handling of RMP (Real Metadata Packages) files can be exploited to delete arbitrary files on a user's system.

The vulnerability has been reported in RealPlayer 10 / 10.5 Beta (6.0.12.1016) / 10.5 (6.0.12.1040) and RealOne Player v1, v2 on Windows.

4) An input validation error within the parsing of RealPlayer skin files can be exploited to determine whether a file exists on a user's system.

Solution
The vendor has issued a patch, which is available via the "Check for Update" feature.

Provided and/or discovered by
1) Karl Lynn, eEye Digital Security.
2-4) John Heasman, NGSSoftware.

Changelog
Further details available in Customer Area

Original Advisory
RealNetworks:
http://www.service.real.com/help/faq/security/040928_player/EN/

eEye Digital Security:
http://www.eeye.com/html/research/advisories/AD20041001.html

NGSSoftware:
http://www.ngssoftware.com/advisories/real-01full.txt
http://www.ngssoftware.com/advisories/real-02full.txt
http://www.ngssoftware.com/advisories/real-03full.txt

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area