RealNetworks Customer Support
INTERNATIONAL DOWNLOADS DOCUMENTATION REAL.COM REALNETWORKS


SERVICE.REAL.COM

PLAYING

CREATION & DELIVERY

CONTACT

FIREWALLS

REALNETWORKS.COM

REAL.COM

TRANSLATE



Server Exploit Fix

Updated September 11, 2003

On August 22, 2003 RealNetworks reported that Helix Universal Server 9 and earlier versions (RealSystem Server 8, 7 and RealServer G2) were vulnerable to a root exploit when certain types of character strings appeared in large numbers within URLs destined for the Server's protocol parsers. RealNetworks Proxy products were not vulnerable to this exploit.

Affected Software:

Helix Universal Server 9.01, versions 9.0.2.794 and earlier
RealSystem Server 8.0 & 7.0

Solution:

Customers are encouraged to upgrade their Server software to the latest version which contains a security patch. On September 10, 2003 RealNetworks publicly released new installation binaries that guard against improperly formed URL from causing a buffer overrun within data structures that store resources file names within the Server.

Helix Server customers are encouraged to upgrade to the latest version of the Helix Universal Server. This will require reinstallation of the software, however, all existing configuration settings (rmserver.cfg file) will function without modification with this new build. (see notes below). Any previously provided and current (non-expired) 9.0.x product license will enable this upgrade.

To preserve the Helix configuration file: The rmserver.cfg file will be renamed "rmserver.cfg.bak" by the installer, and a new rmserver.cfg file will be installed. In order to maintain your previous Helix Server configurations, you should rename or discard the newly installed "rmserver.cfg" file, and rename "rmserver.cfg.bak" to "rmserver.cfg". Execute or restart the Helix Server to read this configuration information.

All actively supported Helix Universal Server platforms are available:

The latest version is:

Helix Universal Server 9.01 Security Update
Version: 9.0.2.802


Platform and configuration support details are available at

http://www.realnetworks.com/resources/contentdelivery/server/recommended_platforms.html

If you are an Server 8.0x customer, please contact Customer Service. Server 7, 6 and G2 are not supported servers and have not been patched. Please contact sales or Customer Service for information about upgrading.

Acknowledgement:

RealNetworks wishes to thank those who posted information about this problem on http://www.securityfocus.com/.

Warranty:

While RealNetworks endeavors to provide you with the highest quality products and services, we cannot guarantee and do not warrant that the operation of any RealNetworks product will be error-free, uninterrupted or secure. See your original license agreement for details of our limited warranty or warranty disclaimer.

 
 


Legal Notice and Terms of Use