The Web    Google
'Critical' Security Hole in Real's Helix Server

'Critical' Security Hole in Real's Helix Server
August 25, 2003
Ryan NaraineBy

Digital media frontrunner RealNetworks (Quote, Chart) has issued a warning for a root exploit vulnerability in its Helix Universal Server 9 platform.

The security flaw could potentially allow attackers to gain system access and execute arbitrary code, according to an alert from RealNetworks.

Independent security consultants Secunia has tagged a 'highly critical' rating on the vulnerability, which affects RealServer G2, RealSystem Server 7, RealSystem Server 8 and the Helix Universal Server 9.x.

The flaw exists in the way the "" and "vsrcplin.dll" plugins handle long requests. As a temporary workaround, RealNetworks said users should remove the View Source plug-in from the /Plugins directory and restart the server process.

"Removal of this plug-in will not hinder on-demand or live streaming delivery or logging and authentication services of the product. With the plug-in removed however, the Content Browsing feature will be disabled," the company explained. A patched version of the Helix Universal Server will be released soon.

The Helix Universal Server, which is a key component of the company's strategy to embrace open-source developers, provides support for live and on-demand delivery of all major file formats (including Real Media, Windows Media, QuickTime, MPEG 4 and MP3).

Separately, RealNetworks reported a security hole in its flagship RealOne Player which can be exploited by attackers to execute arbitrary code.

The vulnerability, which carries a 'moderately critical' rating, affects the RealOne Player, RealOne Enterprise Desktop and RealOne Desktop Manager.

RealNetworks said the vulnerability is caused due to an unspecified error in the handling of SMIL files. The hole can be exploited to execute script code in the context of an arbitrary domain by constructing a specially crafted SMIL file and tricking a user into executing it.

A new version of the RealOne Player is available via the "Check for Update" feature. Fixed version of the RealOne Desktop Manager and RealOne Enterprise Desktop have also been released.

  • 11/23: Yanz-B Worm Written in MSVC
  • 7/16: Rbot-DP Trojan Has Spreading Capability
  • 9/20: Mydoom-Y Worm Connects To URL
  • Outtasking Solution to Company's Email Woes
  • 2/2: Symbos_Locknut-A Hits Symbian Devices
  • AOL's AIM Puts Browser Security in Danger
  • Web Services Security in .NET
  • VeriSign Strengthens Secured Seal
  • 6/14: Spybot-CO Spreads via KaZaA Network
  • 1/5: Rbot-SQ Worm Has Backdoor Abilities
  • Navy Disciplines Midshipmen Pirates
  • Security Camera News