ISS Protection Brief: RealNetworks RealPlayer chunked Transfer-Encoding buffer overflow

Type securityvulns
Reporter Securityvulns
Modified 2006-03-29T00:00:00



Internet Security Systems Protection Alert Date: 03/28/06

Title: RealNetworks RealPlayer chunked Transfer-Encoding buffer overflow


Multiple versions of RealNetworks RealPlayer and RealOne Player are vulnerable to a heap-based buffer overflow, caused by improper handling of chunked Transfer-Encoded data. A remote attacker could create a specially-crafted Web page containing embedded object tags that launch an affected version of RealPlayer or RealOne Player. If a victim could be persuaded to view the malicious page, the attacker could overflow a buffer and execute arbitrary code on the victim's system.

Business Impact:

Compromise of the operating system can lead to exposure of confidential information, loss of productivity, and further network compromise. Successful exploitation of this vulnerability could be used to gain unauthorized access to networks and machines. No authentication is required for an attacker to leverage these vulnerabilities to compromise a network or machine.

About Internet Security Systems, Inc. Internet Security Systems, Inc. (ISS) is the trusted security advisor to thousands of the world.s leading businesses and governments, providing preemptive protection for networks, desktops and servers. An established leader in security since 1994, ISS. integrated security platform automatically protects against both known and unknown threats, keeping networks up and running and shielding customers from online attacks before they impact business assets. ISS products and services are based on the proactive security intelligence of its X-Force® research and development team . the unequivocal world authority in vulnerability and threat research. ISS. product line is also complemented by comprehensive Managed Security Services. For more information, visit the Internet Security Systems Web site at or call 800-776-2362.

Copyright (c) 2006 Internet Security Systems, Inc. All rights reserved worldwide.

This document is not to be edited or altered in any way without the express written consent of Internet Security Systems, Inc. If you wish to reprint the whole or any part of this document, please email for permission. You may provide links to this document from your web site, and you may make copies of this document in accordance with the fair use doctrine of the U.S. copyright laws.

Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

X-Force PGP Key available on MIT's PGP key server and's key server, as well as at Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc.

-----BEGIN PGP SIGNATURE----- Version: 2.6.2

iQCVAwUBRCmxiDRfJiV99eG9AQEYbAQAntTggnVhgn7VohRkSkwrZ8X4KZZ3l1q2 LxVvr7WOvrGzjaVK3jVvPTQ1FFs8JnrCtIoMT11Z7qxAcin3pBTsS+BjR0iKczj/ 9yzKaAiuqvWfgh7h9I3Gk3qm/vtIidZasuXMcKmiuxBF5Xff/lrGqcXsUSiETqB2 NJTz04H2iZM= =3KzH -----END PGP SIGNATURE-----