Here are some of the most significant bugs from the past week in the BugBlog.
RealNetworks says there are bugs in a number of their media players that may allow a remote attacker to run hostile code on your computer. The code could be hidden in a media file or a skin file. Affected software for Windows includes RealPlayer 10.5 (22.214.171.1240-1235), RealPlayer 10, RealOne Player 1 and 2, RealPlayer 8 and RealPlayer Enterprise. Affected Mac software includes Mac RealPlayer 10 (10.0.0.305 – 331). Affected Linux software includes RealPlayer 10 (10.0.0 – 5) and Helix Player (10.0.0 – 5). Get update information at http://service.real.com/help/faq/security/051110_player/EN/. RealNetworks credits eEye Digital Security and NGS Software for finding these bugs.
An update on the Sony rootkit issue from Mark Russinovich, who initially discovered the intrusive software installed by some Sony music CDs. First he highlights the extremely convoluted procedure you need to go through to get the software that uninstalls the rootkit. He then shows that the uninstaller isn’t put together in a safe manner, and could cause your computer to crash. He also shows that the software does contact Sony, although at this point it seems to be for a fairly benign reason.Read the details at
http://www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html. To avoid trouble, avoid using Sony’s copy-protected CDs on your computer. It’s up to you to determine how much business you want to send Sony’s way after this.
Microsoft says that a series of bugs in the graphics rendering engines of Windows 2000, Windows XP, and Windows Server 2003 may allow a remote attacker to run their code on your computer. This affects all service packs for these versions of Windows. To be attacked, you would need to visit a website, or open an email or a file, that contains graphics that have been designed with the hostile code inside. The graphics in question are Windows Metafile (WMF) and Enhanced Metafile (EMF). Microsoft has patches available at
http://www.microsoft.com/technet/security/Bulletin/MS05-053.mspx. They credit eEye Digital Security, Venustech AdDLab, and Peter Ferrie of Symantec Security Response for finding these bugs.
See the BugBlog for continuing coverage of bugs and other things that go wrong with your computer.