Oct 10

Critical RealPlayer Update

Real Networks Inc. has released a new version of RealPlayer that fixes at least seven critical vulnerabilities that could be used to compromise host systems remotely if left unpatched.

I’ve never hidden my distaste for this program, mainly due to its history of unnecessarily tracking users, installing oodles of third party software, and serving obnoxious pop-ups. But I realize that many people keep this software installed because a handful of sites still only offer streaming in the RealPlayer format. If you or someone you look after has this program installed, please update it.

The new versions listed in the chart below are not vulnerable to these flaws. Real Networks says it has no evidence that attackers are exploiting any of these flaws yet. The latest versions for all operating systems are available here.

Tags: ,


  1. I dumped Real Player several years past due to their nasty habits. Have used Real Alternative since with no problem.


  2. My senior thesis at Scam U is going to be a making virus that uses this Reaplayer exploit… to uninstall Realplayer.

  3. Wow, didn’t realize Real Player was still around. To show how long it’s been for me, Windows 98 was the last system I ever had it installed on! I couldn’t get away from it fast enough for the same reasons Brian has mentioned. That reminds me of how the AOL software also tries to install everything but the kitchen sink! Yuck. 🙁

  4. According to Secunia http://secunia.com/advisories/41096/ there are actually eleven vulnerabilities, several discovered by their own researchers.

    Also RealPlayer SP 1.1.5, which is not vulnerable was released at the beginning of July. Weird why the advisory came three months later.

  5. At the risk of being hounded from this forum, I’ll admit I use RealPlayer. I didn’t know about the alternatives mentioned above and will explore those.

    Anyway, I installed RealPlayer SP 1.1.5 on September 29, 2010, which is listed as the current version. I find it incongruous that it was announced as an update on October 15 as a version to fix vulnerabilities.

    If it was known to fix vulnerabilities on September 29, why was it not announced then? If the vulnerabilities were not known on September 29, did the vulnerabilities suddenly appear with the earlier versions, and version 1.1.5 happen to have the code to take care of them?

    • Yes I have to admit I am guilty also I like the feature that allows you to screen capture video and convert files very quickly to alternative types eg mpg but I always run it on a quarantined machine.