RealNetworks has pulled down a patch that aimed to fix flaws in its popular media player software after the developer who discovered the problems said the fix doesn't work.
The vulnerabilities, which appear in the streaming media company's RealOne Player and Real Player, could affect as many as 115 million users of the software worldwide.
RealNetworks posted a patch last week, but NGSSoftware engineer Mark Litchfield on Tuesday said he was able to easily work around the fixes by making relatively minor changes to his attacks on the software.
"Whatever they did is not sufficient," Litchfield said, adding that he's still working with the company on a better patch.
The three flaws could result in what's known as a "buffer overflow," a memory problem that could compromise security controls and theoretically allow an attacker to take control of a PC running the Real media player.
The intruder could exploit the security holes by encouraging unsuspecting PC users to download files with overly long file names or other distorted features, according to NGSSoftware, the security company that first discovered the flaws.
RealNetworks said that the problems were only theoretical at this point and that the discoverer of the security holes could not actually demonstrate how to exploit the bugs to take over a PC.
"We have not yet received reports of anyone actually being attacked with this exploit," RealNetworks said in a posting on its Web site.
NGSSoftware notified the Seattle-based streaming media company of the problems Nov. 1, but kept the findings a secret until RealNetworks could post a patch for them. The U.K.-based security company sent its findings to the NTBugtraq mailing list after RealNetworks first said it fixed the flaws.
RealNetworks representatives did not immediately return calls seeking comment on the patch problems.
http://zdnet.com.com/2100-1104-975352.html