Macromedia, RealNetworks Release Patches
January 2, 2003

A pair of multimedia software companies -- Macromedia, Inc. and RealNetworks, Inc. -- has released patches for vulnerabilities in their respective products that may result in buffer overflows.

eEye Digital Security found a flaw that renders Macromedia Flash Players published prior to Dec. 12, 2002 vulnerable to attacks in which malformed Flash movies could cause a buffer overflow, potentially allowing an attacker to take over a target system. Macromedia notes the attack can occur only with movies edited by hand, with a binary editor; the company's Macromedia Flash authoring tool will not output such malformed movies.

Macromedia says it worked with eEye Digital Security to remedy the issue and has posted an updated player -- version 6,0,65,0 or later -- in its download center.

RealNetworks, meanwhile, says its Helix Universal Server version 9.0 (specifically, version 9.0.2.768) contains three potential buffer overflow vulnerabilities. Each involves sending invalid streams of data to the server, ranging from malformed transport headers to very long URLs and invalid HTTP GET requests.

The company says it has yet to receive reports of any of the vulnerabilities being exploited in the field. On Dec. 19, RealNetworks released patches for all its actively supported server platforms. See here for details.