|
|
|
|
| |
Credit:
The information has been provided by Luigi Auriemma.
The original article can be found at: http://www.zerodayinitiative.com/advisories/ZDI-12-048/
|
| |
Vulnerable Systems:
* RealPlayer
The flaw exists within dmp4.dll, specifically the decoding of an MPEG stream. When encountering a VIDOBJ_START_CODE object the process inproperly validates the size of the destination buffer used for rendering. The contents of a decoded frame are copied to this region which can result in heap corruption if the decoded frame size exceeds the size of this region. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the process.
Vendor Status:
RealNetworks has issued an update to correct this vulnerability.
Patch Availability:
http://service.real.com/realplayer/security/02062012_player/en/
CVE Information:
CVE-2012-0924
Disclosure Timeline:
2011-10-21 - Vulnerability reported to vendor
2012-03-22 - Coordinated public release of advisory
|
|
|
|
|
