CVE-2011-1426

Name of the Vulnerable Software and Affected Versions RealPlayer versions 11.0 through 11.1 RealPlayer versions 14.0.0 through 14.0.2 RealPlayer SP versions 1.0 through 1.1.5

Description The issue allows remote attackers to execute arbitrary code via a .rnx filename corresponding to a crafted RNX file. This is due to the OpenURLInDefaultBrowser method launching a default handler for the filename specified in the first argument.

Recommendations For RealPlayer versions 11.0 through 11.1, consider disabling the OpenURLInDefaultBrowser method until a patch is available. For RealPlayer versions 14.0.0 through 14.0.2, restrict access to the OpenURLInDefaultBrowser method to minimize the risk of exploitation. For RealPlayer SP versions 1.0 through 1.1.5, avoid using the OpenURLInDefaultBrowser method with untrusted filenames until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.