Select Page

Update/Correction: I was misinformed — it appears that the code has not actually been released, which greatly reduces the threat.

This is actually serious — an unpatched RealPlayer vulnerability.

The code has been published, but we have not seen it being used. However, it could go live at any minute.

There is no known workaround. While the vulnerability has been reported for version 11 of RP, it’s unknown whether or not other versions (or alternatives) are affected.

With the current rash of malicious ad banners, one has to take extra care. The MySpace malicious banner ads were using the Neosploit exploit framework. This particular vulnerability, as far as we know, has not been released into that framework, but if it does, we have a real problem.

Heck, now is as good a time as any to get rid of that awful player.

More info:

Sans advisory (worth reading)

Alex Eckelberry
(Thanks Francesco)