Summary
This host is installed with RealPlayer which is prone to multiple vulnerabilities
Impact
Successful exploitation allows remote attackers to execute arbitrary code or cause a denial of service.
Impact Level: System/Application
Solution
Upgrade to RealPlayer version 14.0.6 or later,
For updates refer to http://www.real.com/player
Insight
Multiple flaws are due to,
- A cross-zone scripting error in the ActiveX which allows remote attackers to inject arbitrary web script in the Local Zone via a local HTML document.
- A buffer overflow error which allows remote attackers to execute arbitrary code via a crafted raw_data_frame field in an AAC file and a crafted QCP file.
- An use-after-free error in the AutoUpdate feature which allows remote attackers to execute arbitrary code via unspecified vectors.
Affected
RealPlayer versions 11.0 through 11.1
RealPlayer SP versions 1.0 through 1.1.5 (12.x)
RealPlayer versions 14.0.0 through 14.0.5
References
Severity
Classification
-
CVE CVE-2011-2945, CVE-2011-2947, CVE-2011-2950, CVE-2011-2951, CVE-2011-2954 -
CVSS Base Score: 9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C
Related Vulnerabilities
- Adobe Air Multiple Vulnerabilities -01 August 12 (Windows)
- Adobe AIR Multiple Vulnerabilities-01 Aug14 (Mac OS X)
- Adobe Acrobat Multiple Vulnerabilities - 01 Jan14 (Mac OS X)
- Adobe AIR Code Execution and DoS Vulnerabilities Nov13 (Mac OS X)
- Adobe Acrobat and Reader PDF Handling Code Execution Vulnerability (Windows)