RealNetworks Inc. has released a software patch that it says finally fixes highly publicized security holes in its RealOne Player, according to a statement released by the company on Wednesday.
The patch closes nine security holes that could allow an attacker to take over a computer running the RealOne Player. It also fixes other problems discovered during an internal audit of RealOne Player code, according to Richard Brownrigg, general manager of consumer products at RealNetworks.
The vulnerabilities, described as "buffer overruns," "heap overruns," and "stack overruns" were first discovered in November by Mark Litchfield, a security researcher for Next Generation Security Software Ltd., in Sutton, U.K. In buffer overrun attacks, malicious hackers can exploit an unchecked buffer in a program to load and run their code on the vulnerable system. Exploitations involving heap and stack overruns work to similar effect.
Litchfield promptly reported the problems he found to RealNetworks, which is based in Seattle.
In order to be vulnerable to an attack that used the flaws, users first would have to be tricked by attackers into downloading a malformed file. RealNetworks said in its statement that no exploitations of the security holes have yet been reported.
Nevertheless, RealNetworks issued a patch for the vulnerabilities in late November.
"All security vulnerabilities are taken very seriously by RealNetworks," RealNetworks said in its statement Wednesday.
However, Litchfield said he was able to prove that the patch issued by RealNetworks did not solve the reported security problems.
The mix-up prompted RealNetworks to announce a wholesale review of its RealOne Player source code to identify any other vulnerabilities in the product.
Although the results of that audit were not mentioned in the company's statement, the nine holes have been plugged, according to the company.
Individuals using RealOne Player can obtain the update by selecting the Check for Updates option on the RealOne Player's tools menu, or by visiting the RealNetworks Web site and downloading the software patch at http://service.real.com/help/faq/security/bufferoverrun_update.html.