October 20, 2010

Real Networks Inc. has released a new version of RealPlayer that fixes at least seven critical vulnerabilities that could be used to compromise host systems remotely if left unpatched.

I’ve never hidden my distaste for this program, mainly due to its history of unnecessarily tracking users, installing oodles of third party software, and serving obnoxious pop-ups. But I realize that many people keep this software installed because a handful of sites still only offer streaming in the RealPlayer format. If you or someone you look after has this program installed, please update it.

The new versions listed in the chart below are not vulnerable to these flaws. Real Networks says it has no evidence that attackers are exploiting any of these flaws yet. The latest versions for all operating systems are available here.

12 thoughts on “Critical RealPlayer Update

      1. Louis Leahy

        I like VLC too seems to run a lot of obscure file types without any trouble however I understand that it is open to misuse because it does not take advantage of the new random memory allocation security features. Does anyone know if this is true and what are the alternatives without loosing the functionality.

    1. KFritz

      Hear! Hear! If there’s some Real function a body needs (in my case 2 unique streaming webcasts) Altreal does quite nicely. Otherwise, why have the bloody thing around at all?

    2. Faust

      Real Alternative is no longer being maintained. The K-Lite Codec Pack guy dropped it awhile back.

  1. Russ

    My senior thesis at Scam U is going to be a making virus that uses this Reaplayer exploit… to uninstall Realplayer.

  2. xAdmin

    Wow, didn’t realize Real Player was still around. To show how long it’s been for me, Windows 98 was the last system I ever had it installed on! I couldn’t get away from it fast enough for the same reasons Brian has mentioned. That reminds me of how the AOL software also tries to install everything but the kitchen sink! Yuck. 🙁

  3. Steve

    At the risk of being hounded from this forum, I’ll admit I use RealPlayer. I didn’t know about the alternatives mentioned above and will explore those.

    Anyway, I installed RealPlayer SP 1.1.5 on September 29, 2010, which is listed as the current version. I find it incongruous that it was announced as an update on October 15 as a version to fix vulnerabilities.

    If it was known to fix vulnerabilities on September 29, why was it not announced then? If the vulnerabilities were not known on September 29, did the vulnerabilities suddenly appear with the earlier versions, and version 1.1.5 happen to have the code to take care of them?

    1. Louis Leahy

      Yes I have to admit I am guilty also I like the feature that allows you to screen capture video and convert files very quickly to alternative types eg mpg but I always run it on a quarantined machine.

Comments are closed.