VULHUB ™

Real Software has announced a vulnerability in RealJukebox2 and Real Player Gold. When skin files are opened, the files comprising the skin are extracted to a known location on client filesystems. This may provide a remote attacker with the ability to plant a file on a victim filesystem by transmitting a seemingly benign skin. The presence of a file in a specific location may provide the attacker the ability carry out more complex attacks, such as creating a "file://" link to malicious content in a skinfile and enticing the user who downloaded the skin to visit the link. The ability to plant a file on the victim filesystem may also be levaraged in conjunction with other vulnerabilities such as that described by Bugtraq ID 3867. The vendor has addressed this issue in affected products by making the location of skinfile extractions less predictable.

Real Software has announced a vulnerability in RealJukebox2 and Real Player Gold. When skin files are opened, the files comprising the skin are extracted to a known location on client filesystems. This may provide a remote attacker with the ability to plant a file on a victim filesystem by transmitting a seemingly benign skin. The presence of a file in a specific location may provide the attacker the ability carry out more complex attacks, such as creating a "file://" link to malicious content in a skinfile and enticing the user who downloaded the skin to visit the link. The ability to plant a file on the victim filesystem may also be levaraged in conjunction with other vulnerabilities such as that described by Bugtraq ID 3867. The vendor has addressed this issue in affected products by making the location of skinfile extractions less predictable.