Risk: High
It may be possible to allow the execution of remote arbitrary code due to the methods used for handling chunked transfer-encoding, giving an attacker all the privileges of a logged-in user.
There are three ways that the vulnerability can be triggered, all of which result in a heap overflow:
- Sending a well-formed chunk header with a length of -1 (FFFFFFFF) followed by malicious data.
- Sending a well-formed chunk header with a length specified which is less than the amount of data that will be sent, followed by malicious data.
- Not sending a chunk header before sending malicious data.
Apart from completely removing RealPlayer, it may be difficult to eliminate the vulnerability, but workarounds are available at http://www.idefense.com/intelligence/vulnerabilities/display.php?id=404