Updated April 14, 2010
RealNetworks is making available product upgrades that contain security bug fixes.
RealNetworks, Inc. has addressed three recently discovered security vulnerabilities.
RealNetworks takes all security vulnerabilities extremely seriously and provides
this information as an aid for users to avoid any potential exploits.
VULNERABILITY DESCRIPTION
CVE-2010-1317:
Remotely Exploitable: YES
RealNetworks Helix Server NTLM Authentication Invalid Base64 Heap Overflow
Vulnerability
CVE-2010-1318
Remotely Exploitable: YES
Remote exploitation of a stack-‐based buffer overflow vulnerability within AgentX++,
as distributed with multiple vendors' products, allows attackers to execute arbitrary
code with the privileges of the AgentX master process.
CVE-2010-1319
Remotely Exploitable: YES
Remote exploitation of an integer overflow vulnerability within AgentX++, as
distributed with multiple vendors' products, allows attackers to execute arbitrary
code with the privileges of the AgentX master process.
Impacted Products and Versions:
-‐ Helix Server Version 11.x, 12.x, 13.x
-‐ Helix Mobile Server Version 11.x, 12.x, 13.x
FIX:
Version 14.0.0 of the Helix Server and the Helix Mobile Server have been updated to
ensure that the above vulnerabilities have been resolved.
SOLUTION:
The vulnerability is resolved on the following platforms by installing Version 14.0.0
of the Helix Server and the Helix Mobile Server. This only pertains to supported
versions of the platforms listed below. The updated version will be available on your
RealNetworks PAM site after 12:00 am PST, on April 14, 2010.
-‐ Red Hat Enterprise Linux 5
-‐ Sun Solaris 10
-‐ Windows 2008
-‐ Windows 2003
ACKNOWLEDGMENT:
RealNetworks would like to thank Manuel Santamarina Suarez, Joshua J. Drake, and
other anonymous contributors for bringing these exploits to our attention.
WARRANTY:
While RealNetworks endeavors to provide you with the highest quality products
and services, we cannot guarantee and do not warrant that the operation of any
RealNetworks product will be error-‐free, uninterrupted or secure. See your original
license agreement for details of our limited warranty or warranty disclaimer.