Three Vulnerabilities Discovered in Real Player

prostoalex writes "British Next-Generation Security Software discovered three vulnerabilities in popular Real Player. A malicious attacker can execute arbitrary code by offering corrupted RealAudio stream. Real Networks posted the instructions on dealing with security flaws."

first port for mplayer

that'll fix it.

Linux

[RoadkillBunny]

How about Linux, are we safe? I didn't see any reference...

Re:Linux

first time i've ever seen a question modded "informative" . . .

Re:Linux

From what I've seen Linux users are generally safe from

slip-up at a social cocktail party, since they're hardly invited

STDs transferred during sexual intercourses and foreplay with persons of opposite sex

overspending on deodorant

huge water bills due to frequent showers

complaints from Mom about yet another basement party

Re:Linux

[Citizen+Gold]

I take it you don't know _anyone_ that uses linux then?

Re:Linux

[ScottGant]

I'm safe from it here on my Gentoo distro.

Why? BECAUSE I DIDN'T INSTALL IT.

Realplayer really pisses me off. It's like adware central for one, and then the streams itself are horrible and buggy. I just don't deal with it anymore.

It's just the worse. When I go to a website that has a link to a RealPlayer sound bite, I don't even bother with it. I don't care if it's the secrets of the universe I wouldn't click on it. And don't get me started about the proprietary format that they use.

If Mplayer can't play it, I don't want any part of it (that being said, RA files are one of the few formats that Mplayer doesn't play).

Re:Linux

I don't see why people keep calling RealPlayer adware. I have RealPlayer 8(for the plugin) and RealPlayer 9. They never advertise. I've also used it on OS X, though not much as I use Linux 99% of the time(OS X = 1%), I've never seen an ad. The only valid complaint may be that they never finished the Linux player.

Re:Linux

[IANAAC]

I didn't see any reference...

But they did mention that any harm done to the machine would be under the context of the logged in user. Unless you're surfing as root (very stupid) I doubt much would happen.

Re:Linux

Hit a little too close to home?

Re:Linux

[prshaw]

That's good to know.

I would hate to loose any of my files. I have the OS on CD so those ones are easy to restore. But all my data and configuration is a real pain when I have to restore it.

Re:Linux

[Dimensio]

If that's the case, then most Windows users should be safe because only an idiot would have their default user account in the Administrators group... ...oh, wait. These are Windows users.

Re:Linux

[burnin1965]

but you can't blame the user if the PC they purchased comes configured with the admin as the main user or if they installed from shrink wrap and it sets up the admin as the default user.

as I would not blame you for getting burned to a cinder because the car you purchased has a tendency to burst into flame when involved in an unexpected collision and you didn't install reinforcement around the fuel tank.

burnin

Re:Linux

[JPriest]

When I am using Linux I probably su to root about 3 times a minute. I don't need or want training wheels on my OS. I would much rather sandbox the browser and mail clients first.

Re:Linux

Hit a touchy point?

You are all stinky, and have no chance of sex.

Your either a commie, or stinky.

Re:Linux

[nineoneone]

Exactly - its a bag-o'-shite piece of software anyway - I wouldn't even allow it on my wifes XP box

A new insult...

[Lord_Slepnir]

"Your band's so bad that their voices hack real player"

Re:A new insult...

[LostCluster]

Mod parent as funny... and send the line to Simon Cowell for use on American Idol...

Re:A new insult...

[teh_master_baiter]

yeah, i agree, that guys music completely and utterly sucks The Crappiest Music in the Universe

Re:A new insult...

[MonTemplar]

and send the line to Simon Cowell for use on American Idol...

Bah. Make him come up with his own put-downs, I say. After all, he can afford to do the research... :-)

-MT.

Re:A new insult...

[AtlanticGiraffe]

I love it!

Re:A new insult...

[LittleGuy]

Mod parent as funny... and send the line to Simon Cowell for use on American Idol...

Simon can (and does) come up with his own insults. Send it to Paula Abdul.

I miss Progressive Networks...

[LostCluster]

When the company was called Progressive Networks, they put out some of the most revolutionairy software on the Internet... software that could make decent sounding realtime talk radio streams with just 14.4kbps of modem bandwidth to work with. When 28.8kbps modems came out, they came up with a codec good enough for most FM radio stations...

But, oh how the mighty have fallen. The RealNetworks of today stopped advancing their audio protocols long ago, and have sense been lapped by the field of other audio standards. Now, RealNetworks is more of a content company, selling "-Pass" products that create monthly fees to access streams that used to be free.

So, I guess I'm not surprised that there's a "lazy programmer" style security flaw in their products today. They stoped being a tech innovator, and have slid over into the category of a content pusher. Oh well... another .com bites the dust.

Re:I miss Progressive Networks...

So, in short, RealNetworks codecs are DYING.

Re:I miss Progressive Networks...

[wankledot]

Very well said.

It's very sad for me to see what's happened to Real. I worked there for over a year recently, and I really wish they could turn things around move back to what they did well back in the day.

They need to:
1) fire the entire marketing team. They're horrible
2) lose any of the quick-money things they do (ads, tricking people into paying for the Plus player or *pass accounts) and focus on rebuilding a quality user base.
3) Throw away all the 325 million customer records they have, and stop the spam.
4) Own up to the fact that most people hate them, and the only users that don't have a problem with Real are the ones that don't know them well enough yet. You can only burn so many users until they come back to burn you.

The saddest thing is that the people who work there genuinely care. They are really talented, and they all know what they SHOULD be doing in order to succeed. Especially the people that work on the actual player. But things can't change until the word comes down from the top. Rob needs to have an epiphany and turn the ship around fast, otherwise they'll be selling what's left to Sony and AOL.

Re:I miss Progressive Networks...

[orthogonal]

So, I guess I'm not surprised that there's a "lazy programmer" style security flaw in their products today.

Lazy programmer? Abashed, ashamed, depressed programmer is more like it.

Real is so widely reviled -- by techies, hell, by anyone who has ever downloaded it -- that I'm sure a large number of Real's programers are dispirited, depressed, and resentful that management turned what had been a reputation for technical innovation into a reputation for deceptive marketing practices.

Once a programmer has dragged his ass into Real in the morning only to be told for the tenth week in a row to forget codec improvements, it's time to hide another five opt-out click boxes on a drop-down list at the bottom of narrow scroll pane behind a button on the third page on a fifteen page tab dialog, it's no surprise that even if he does get to patch the codecs, he won't be doing anything near his best work.

Re:I miss Progressive Networks...

That's uncanny. I think I worked with you there... What dept. were you in?

Re:I miss Progressive Networks...

[LostCluster]

Well, the old RealAudio business model didn't work. Give away the client-side software and charge for the encoders... well, eventually people stopped buying the encoders because they realized that nobody could make money streaming content on the Internet for free.

Rather than fold, Real adapted into a pay-for-content distributor. Not only did they provide the tech to stream content, but they provided the structure with which the content owners could charge for the right to hear the stream, and Real and content owners split the profits.

But that basically makes them no better than a cable TV company, who is more interested in collecting the money than providing perfect service. Afterall, for most of the content Real is selling, it's take it or leave it offers... Real is the only place you can get certain major sports and news content.

I guess the free streaming content of the 1999 era was too good to have lasted...

Re:I miss Progressive Networks...

by techies, hell, by anyone who has ever downloaded it

My roommate uses it. He think it's fine for watching his downloaded Saturday Night Live clips. However, I use MPlayer OS X 2 on my powerbook. ciao

Re:I miss Progressive Networks...

I would say that Real is still unsurpassed for 28.8K talk radio. (listens to NPR streams at work)

Re:I miss Progressive Networks...

[Bombcar]

Today's Dilbert is strangely appropriate...

Read

Re:I miss Progressive Networks...

[pla]

it's time to hide another five opt-out click boxes on a drop-down list at the bottom of narrow scroll pane behind a button on the third page on a fifteen page tab dialog

Yeah? What do most of us care? They can probe and prod me to their hearts' content - I'll provide as much fake data as they want to ask me for.

And if they eventually adopt some form of email verification (like mailing a registration key, or the like), well, I can provide as much fake information as Yahoo asks for, as well. Minor inconvenience, but, we all have to do our part to keep the economy flowing smoothly.


I just don't get all you privacy freaks. Really, it doesn't take that much effort to lie to a few simple questions. Grow up.

Re:I miss Progressive Networks...

[Ninja+Programmer]

So, I guess I'm not surprised that there's a "lazy programmer" style security flaw in their products today.

Fix your buffer overflows here:

Better String Library

Its guaranteed to plug all your buffer overflows or your money back! Using Bstrlib will make your code shiny and clean! Its brightens your whitespace, and is syntax coloring safe! Yo Quiero Bstrlib! Faster than a speeding bullet! Better than a superbowl halftime show! Free Limited time offer!

(To opt out of this list click here)

Re:I miss Progressive Networks...

I'll provide as much fake data as they want to ask me for.

and

I can provide as much fake information as Yahoo asks for...

You cannot provide a fake IP, at least without a fair amount of technical know-how and effort. Think that's not a problem? Ask the kids who got subpoenaed by the RIAA. Food for thought.

Re:I miss Progressive Networks...

But, oh how the mighty have fallen. The RealNetworks of today stopped advancing their audio protocols long ago, and have sense been lapped by the field of other audio standards. Now, RealNetworks is more of a content company, selling "-Pass" products that create monthly fees to access streams that used to be free.

But how else do you get a sustainable income stream if you can't come up with a vastly improved codec every year anymore?

Re:I miss Progressive Networks...

ipconfig /renew

Re:I miss Progressive Networks...

Yeah, I installed realplayer 10, and noticed that yet again they have done the dumbest imaginable thing and made the UI ridiculously complex and crowded without adding any useful functionality. I liked realone, it was clean, it wasn't slow, it didn't go [buffering...] all the time. However, it's amusing to see real management still haven't learnt from the mistakes made with realplayer 7 and 8.

KISS - Keep It Simple Stupid

Especially if your product is nothing more than a browser plugin (let's face it, no one sane uses real as a standalone app).

Re:I miss Progressive Networks...

Yeah, right. Are you on drugs? "It couldn't have been me your honor, I did ipconfig/renew." You are probably also the kind of person who gives their userid and password to those emails asking you to update your PayPal info.

Re:I miss Progressive Networks...

[gnu-generation-one]

"I just don't get all you privacy freaks. Really, it doesn't take that much effort to lie to a few simple questions. Grow up"

You lie to protect your privacy, yet verbally abuse those who take their own privacy seriously and dislike lying?

Re:I miss Progressive Networks...

[ZoneGray]

I just got tired of supplying the fake data every time I had to do an install, especially after they stopped accepting "webmaster@real.com".

Seriously, it doesn't seem to be a major privacy issue, just the annoyance of being continually marketed to for something you know you don't want to buy. And I'll confess, I actually bought the commercial version of their current player. But even after you pay them, they come back for more; there's always some damned popup in the system tray telling you that you want a Gold pass.

Also annoying... the only "fix" suggested by Real is to download and install an update... which means we get to go through the excercise of finding the hidden checkboxes all over again.

BTW, people whose politics are to the right of Pol Pot might be offended by Glaser's generous support of several of the most extreme and ghoulishly anti-human animal rights groups. They don't simply campaign on mainstream issues like fur coats, protection of endangered species, or animal cruelty. www.progressproject.org indulges writers who advocate such things as outlawing all use of animals for food, or allowing them legal standing to file lawsuits.

Compassion for animals is cool, but this is an anti-human philosophy taken to the extreme, and it's is on a par with the philosophies of all the worst villains in history. I'm frankly ashamed that Glaser got 20 bucks of my money, but that was a choice I made. But I thought long and hard before I bought.

Re:I miss Progressive Networks...

Your forgot:
5) ???
6) Profit

Re:I miss Progressive Networks...

[hendridm]

> I can provide as much fake information as Yahoo asks for, as well.

Instead of abusing free services, why not use some free throw-away e-mail addresses. It's precisely what the service was designed for, and it's free, easy to use, and works well.

Re:I miss Progressive Networks...

[CPlusPlusOwnsYou]

I'm sorry but Real Networks has always been shoddy. Anyone ever use their download manager? Its just as bad as RealPlayer.

Re:I miss Progressive Networks...

[pla]

You lie to protect your privacy, yet verbally abuse those who take their own privacy seriously and dislike lying?

Search for some of my older posts... I consider myself one of "you privacy freaks", taking rather drastic measures to keep my personal data out of the hands of our corporate masters.

Apparently, my intended humor did not come across very well, despite the glaring contradiction between going so far as to lie to Yahoo so I can lie to Real, and then mockingly chiding people who value their privacy.

My apologies. Smile.

Re:I miss Progressive Networks...

[Rangsk]

Why lie to yahoo when Mailinator doesn't care?

Re:I miss Progressive Networks...

[jez9999]

If there are these talented people at Real, why don't they do and work for Winamp? I'd say it could do with some extra staff, and the rather minimal team there have come up with a pretty kickass streaming audio and video client in Winamp 5.01 as it is.

Re:I miss Progressive Networks...

i don't like realplayer, but MAYBE they are doing all the 'bad' things you mentioned bacause they make money?

i don't know what the financial status of the company is, but they are a company. they are their to make money.

Re:I miss Progressive Networks...

[per11]

Or he could make the program not spam your e-mail address regardless of whether you bother to un-check the boxes.

Re:I miss Progressive Networks...

[nyseal]

'Real is the only place you gan get certain major sports and news content'. Hmmm, so how have I lived so far without them and STILL be up to date....must be other venues of information exchange; I guess.

Re:I miss Progressive Networks...

[LostCluster]

Nah, it's just that you don't care about listening to live out-of-town radio coverage of NFL or MLB games. They're not the exclusive providers of the facts the programs relay, but they are the exclusive providers of the specific programs.

Instructions

[DarkHelmet]

Here are some nice instructions on how to deal with Real Player's security flaws:

1. Click Start, go to Control Panel
2. Click Add / Remove Programs
3. Find the program entitled RealPlayer, and uninstall it
4. Run Adaware to make sure any spyware they might have installed is no longer on your machine
5. Convince people to Use better alternatives

I still hate RealPlyaer. Any sort of file format that requires me to install the company's software to use I will eternally hate, regardless of who it is. I hate Real, and I hate Quicktime. I'd ask that they both die a slow miserable death, but I honestly want them both out of the way so that more open standards will take their place faster.

Re:Instructions

[LostCluster]

Right now, RealPlayer is a program you use when you half to. For open standards, there's a better program out there, but there is a lot of content out there that is only available if you pay for it through RealNetworks, and then you can only watch it if you use one of Real's products.

If you want to get the web access to major sports or news content that used to be free, you need Real's products and have no way around it...

Re:Instructions

Yeah, I try to apply that philosophy to life as well. You can't buy a Toyota and get genuine Toyota parts for it without going through the company. Screw that! I made a soapbox derby racer with ingenuine "Towota" parts (I stenciled the name with a pencil).

And DirecTV? They want you to pay for their service to use their hardware. What the hell?!? Instead, I've made a modified "super-rabbit ears" device out of old Pringle cans and tin foil. I don't get any cable, but I get UHF really REALLY well.

Gee, I guess sticking with open standards is harder than I thought........

Re:Instructions

[MoonFog]

For some time RealPlayer was the only "free" plug-in to support SMIL. Fortunately, we now have Ambulant.

There are still, like you mentioned, several places which offer .rm formats to view their contents. Annoying, but then again, it appears only Quicktime and WMV are the alternatives.

Re:Instructions

[Kris_J]

All streaming media companies have been spoilt by broadband -- thusly, in areas with poor broadband take-up rates streaming media is all but abandoned.

Re:Instructions

[mesach]

I just had absolutely no clue that people shared my thoughts on such matters...

I too would like a slow painful death for Real, but I want them gone and not used as soon as possible.

Not that I listen to them but I was overjoyed when I heard that click and clack(I dont listen so I don't know how to spell it) had dropped the real audio format for thier show archiving.

I wish more people would take a cue from this and drop it at least in favor of WMA(it may suck but I can play it on winamp). Something, anything but real, oh yeah and QT too.

Re:Instructions

[CoolMoDee]

We have three "standards" out there. Real, WMV, and Quicktime. The first one sucks like you said because of the software, but they support* odd platforms (Linux/PPC/Alpha). The second is very closed like the first, but is that of a convicted monopoly, and is generally full of drm, and only supports Windows/Mac. The third is mpeg-4 based (an open standard), "requires" their software on Windows, but shold be playable in MPlayer, it also works very well on non-supported platforms (linux). If Quicktime died, then we would be left with Spyware or DRM, neither of which sound like much fun. It would be cool if people would use shoutcast or icecast, but chances are that won't happen because lack of support

Re:Instructions

RealPlayer is a program you use when you half to.

I wouldn't even use it if I third to.

Re:Instructions

[inode_buddha]

FWIW, I play *all* those with mplayer in moz. Or just save them to a file and play later.

Re:Instructions

[myrdred]

Ack, it's people like you who give WMP its monopoly. People like you on whom Microsoft depends to use all the bundled software, since you are unwilling to download any alternatives!

Re:Instructions

Shouldn't anti-virus programs be updated to automatically remove any RealMedia products for you? I do think they meet every definition of a virus.

Re:Instructions

The English language promotes dyslexia, and obviously you relish this fact.

Re:Instructions

[dbCooper0]

I hate Real, and I hate Quicktime. I'd ask that they both die a slow miserable death, but I honestly want them both out of the way so that more open standards will take their place faster.

I Agree wholeheartedly. I had to install from an old copy of RP8 just to watch video from washingtonpost.com because of the inability of RP10 to install properly on my box. I consider myself lucky to have found the install file on another box in my office. They and QT both suck, but they are necessary evils to get the multimedia off the web that most of us have become accustomed to.

To QT's credit, at least it doesn't default to hijack all my extensions to run with it, but it's still slow, annoying, and pisses me off. For AVI files, I've found that Crystal Player works best on my old, crusty PII machine, where MS's player as well as the Divx player are worthless as of the codecs v.4 and up.

Screw real, but I still want my news videos (who watches TV, and if so, why?).

Re:Instructions

[DarkHelmet]

since you are unwilling to download any alternatives

Like winamp?

Re:Instructions

There's always plain .mpg. Always works.

After that there's divx/xvid encoded avi's trailing behind .mov and .wmv

Re:Instructions

[Mr+Guy]

Not dyslexia, wrong.

Acceptable: use when you have to.

Better: use when forced. (Dangling participle and all)

Re:Instructions

[gnu-generation-one]

Any chance of a bootable operating-system distro with Internet Explorer and RealPlayer installed? You're right, we all need to use these pieces of crap occasionally, even for supposedly noncommercial sites like the BBC. But there's no way we're installing RealPlayer on any computer we intend to continue using afterwards..

Re:Instructions

[zebs]

Screw real, but I still want my news videos (who watches TV, and if so, why?)

Hmmm

Better picture quality

No bandwidth problems

My sofas more comfortable than my computer chair

My TV is bigger than my monitor

No adverts (BBC)

No DRM

No privacy concerns

etc... etc...

Re:Instructions

[Dun+Malg]

The English language promotes dyslexia, and obviously you relish this fact.

Do you know what dyslexia is? Using "half" instead of "have" isn't it. That's better described as "illiteracy". It is, however, an excusable error for a non-native speaker of english, since the two words veer confusingly close to one another in casual spoken usage. I don't know if the original poster learned english as a second language, but I certainly hope so.

Re:Instructions

[VikingBerserker]

I wouldn't even use it if I third to.

And it shall get no quarter from me!

Re:Instructions

[DavidBrown]

Ack, it's people like you who give WMP its monopoly. People like you on whom Microsoft depends to use all the bundled software, since you are unwilling to download any alternatives!

I agree with you, but so what? Aside from the allegely evil DRM scheme that I haven't even noticed on anything I've ever used MediaPlayer for, I can't see anything wrong with it. Yes, it's bundled, but why should I have to pay for something that ought to come with the operating system? Sure, it may be a monolopy, but it's a reasonably priced monopoly, and it does what I want it to do. Mind you, I'm also using iTunes, because that's what works with my iPod. I'm using iTunes because iTunes/iPod gives me something I'm willing to pay for. If Real Networks made something I'm willing to pay for (and that damn blinking teardrop in my system tray ain't it), then I may be willing to buy it from them.

I'll give you an example: Adobe Reader. It's free, and I use it and like it because I can download tax forms from the IRS anytime I want them. Only now, my office is going to buy Adobe Acrobat because it gives us functionality that we are willing to pay for, including filing in forms and saving them - saving us work, time, and money.

Realplayer to me is a feeware/nagware alternative to a free product that isn't nearly as annoying. Sure, I'm paying the M$ tax, but I'd be doing that anyway because XP is a product that works well enough for whatever we want to use it for.

Re:Instructions

So, anyone know if there is something like Ambulant that is safe to use on a production machine?

Re:Instructions

obviously you relish this fact.

Nah, I was never much for relish; I'm more of a mustard guy myself.

Re:Instructions

[abischof]

For those looking for mplayer on Windows, you can get Media Player Classic here. I've just tested it on RealAudio files (from Marketplace) and it works fine :).

Re:Instructions

[JoAnywhere]

I have to agree with your points 1 - 5 (and I was in fact considering posting the same facetious remark), but your statements afterwards baffled me somewhat.

Any sort of file format that requires me to install the company's software to use I will eternally hate, regardless of who it is. I hate Real, and I hate Quicktime.

Does that mean you also hate PDF? MP3? or any other format of data that requires software to view it? or is it only proprietry software you are railing against? If its the proprietry argument you are making then I can understand your point, but at the end of the day, pretty much all data requires some kind of software to view it.

Re:Instructions

[nyseal]

'half to'? Oh jeez....anyway, ALL information eventually moprphs it's way into another format...it just not may be in the format that you want or need within an hour. I can wait that long to not use Real.

Re:Instructions

[nyseal]

I agree, but .rm formats are never REALLY compatible; even with themselves.....how many times have you been told that the current 'version' of RealPlayer (although what you have as .rm compatible and what you're trying to d/l isn't...and you're forced to upgrade) can't play becuse you need to go to their website? What a joke. I gave up on that a long time ago.

Re:Instructions

[damiam]

Any sort of file format that requires me to install the company's software to use I will eternally hate, regardless of who it is. I hate Real, and I hate Quicktime.

Quicktime files can be played with any compliant MPEG4 player (mplayer, for example).

The fine print

"we cannot guarantee and do not warrant that the operation of any RealNetworks product will be error-free, uninterrupted or secure."

Thanks, I needed that.

Re:The fine print

[Bobdoer]

Well, you already knew that they were evil before you read the fine print...

Re:The fine print

"we reserve our right, however, to install backdoors which will allow us to execute arbitary code on any system running RealNetworks(TM) products, and we reserve our right to deny knwoledge of its existance when this is discovered. We cannot guarantee that these backdoors will not be used by "random free-p0rn sites" and we will deny any relation with them. Thank you and have a nice day. Be sure to use RealNetworks products because RealPlayer is free and there are random p0rn sites out there that require real player to view the content".

Thanks, I needed that. Now I feel much better.

This is why...

[Lifewish]

I never install RealPlayer. Anyone who puts that much malware in their program obviously doesn't have their heart in it.

Re:This is why...

[FashionNugget]

I've been hearing this for a while now about realplayer, but haven't found any conclusive evidence. What exactly are they bundling together? And while we're at it, how effective is ad-aware at detecting and fully removing all of it?

(Can you tell? I'm extremely tempted to install realplayer, just to be able to listen to BBC worldservice broadcasts-- even though I know it'll slow my computer down, violate my privacy, and open my computer up to attacks...)

Re:This is why...

[16K+Ram+Pack]

The BBC now have a download version that doesn't have any of the annoying ad crap

Great, Just %$*# Great!

[l0ungeb0y]

Now if email virii wasn't my only worry, now I can't even trust my daily dose of porn!

What's the world coming too?
YAAAAAAaaaaaarrrrgh!!!!

Re:Great, Just %$*# Great!

YAAAAAAaaaaaarrrrgh!!!!

Is that you, Howard Dean?

So the exploit would go something like...

[Spazholio]

"LOLOLOLO!!!!11 j00 h4v3 b33n HAC....buffering.....buffering....buffering...."

Re:So the exploit would go something like...

[wik]

.... it's a new form of buffer underflow attack.

Re:So the exploit would go something like...

[Hes+Nikke]

good thing i use BurnProof(TM) on my DVD+/-RW drive :D

(whats with /. parsing cool characters into 3 or 4 ascii char strings?!)

Re:So the exploit would go something like...

And this is +5 funny?

Re:So the exploit would go something like...

That might have been funny if I wasn't forced to find the punch line among severl likes of cheesy sig.

Re:So the exploit would go something like...

Just disable the .sigs and they'll never bother you again, unless a particular someone hawking physics tutoring and London weblogs irritates you.

Real alternative?

Does we know if "Real Alternative" player is compatible with these vulnerabilities? :)

Shades of MS?

[Ignorant+Aardvark]

From the Real Player Knowledge Base:

To prevent maliciously formatted video streams from providing a backdoor into your system, type the video stream by hand and verify that it contains no malicious code.

I love the disclaimer...

[HermesHuang]

Warranty: While RealNetworks endeavors to provide you with the highest quality products and services, we cannot guarantee and do not warrant that the operation of any RealNetworks product will be error-free, uninterrupted or secure. See your original license agreement for details of our limited warranty or warranty disclaimer.

Essentially, we don't guarantee our product works, but you should still pay us for it. Seems to be the philosophy of many software companies...

Re:I love the disclaimer...

Warranty: While RealNetworks endeavors to provide you with the highest quality products and services, we cannot guarantee and do not warrant that the operation of any RealNetworks product will be error-free, uninterrupted or secure. See your original license agreement for details of our limited warranty or warranty disclaimer.

Some cheap bastard from Real Networks must have been digging around in Microsofts trash and found a rough draft of their policy.

Re:I love the disclaimer...

[rokzy]

>Essentially, we don't guarantee our product works, but you should still pay us for it. Seems to be the philosophy of many software companies...

and that's one of the reasons why they don't deserve to have their products protected by patents (even if software patents weren't a horrible idea anyway)

at least "real" products are covered by the Sale of Goods Act (UK) etc. to guarantee a certain level of quality - you give a little, you get a little.

take responsibility or fuck off.

Re:I love the disclaimer...

There are no warranties for software covered by the GPL either:

THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW

Can you imagine an auto manufacturer taking responsibility if you blow out a tire on one of the cars they made? No.

So why should software be any different? The claims above (uninterrupted service, etc) could very easily be caused by network conjestion, or even something as stupid as the network plug falling out the back of the computer. A reasonably good effort is all that they can do - because it would be prohibitively expensive to make, test, deploy and use otherwise. Software would be a lot more reliable if the user had to go through a 30-point checklist before they were allowed to touch their computer (as they often do with critical applications - medical equipment, space navigation, powerplants, etc), but that would just be stupid and unusable for consumers.

I don't like RealPlayer either, but you don't have to buy their software if you don't want to.

Re:I love the disclaimer...

[rokzy]

a car must by law be fit to drive.

software licenses say that the software isn't guaranteed to be fit for anything at all, not even the purpose it's advertised for.

Re:I love the disclaimer...

[spongman]

Yeah, and 75% of the cost of kid's football helmets goes toward insurance. If the same thing happened to software then expect the price of software tripple, and see free software disappear when people realise thay may be liable in court for bugs they release.

Re:I love the disclaimer...

[rokzy]

>see free software disappear

B.S.

it's okay for free software to be provided "as-is" without guarantee.

it's a completely different story when commercial software is advertised and sold for a specific purpose but then says in the mandatory agreement that you mustn't have any expectations that it works at all.

Re:I love the disclaimer...

[linoleo]

Essentially, we don't guarantee our product works, but you should still pay us for it. Seems to be the philosophy of many software companies...

Indeed. I'm going to have a disclaimer printed on the back of my checks:

NOTE: While I endeavor to provide you with payment for your products and services, I cannot guarantee and do not warrant that any of my checks will clear promptly, or indeed at all. See my credit history for details of my limited ability to pay for purchases.

- nic

Re:I love the disclaimer...

[TomatoMan]

Right. For free software a "this might not work" warranty is fine. For something you're PAYING for, it damn well better work, and the customer better have some recourse if it doesn't. Imagine going to Staples for a new phone (say) and finding a bit of tiny-print legalese saying that the phone might not work, and it sucks to be you if it doesn't.

Nobody can guarantee that their software is bug-free, but if it turns out to have bugs (defects), the manufacturer should either make a clear, genuine and kick-ass effort to solve it double-quick, or offer a refund within a warranty period like any other manufacturer on earth.

Some programmers/companies aren't good enough to do that? Then they shouldn't be selling software.

Are all RealPlayer versions affected?

[Debian+Troll's+Best]

Often these types of vulnerabilities only affect one platform (and usually Windows), but does anyone know which platforms are affected by this new exploit? Mac OS X and Linux too? Does it make any difference if I used apt-get to install the RealPlayer binary instead of the Real packaged one? I'm in the middle of sealing off RealPlatyer ports on all our organization's firewalls at the moment, but a lot of them are running OpenBSD and we're having trouble keeping them up long enough to edit the firewall config files.

Re:Are all RealPlayer versions affected?

The same versions of RealPlayer and RealOne that are vulnerable in Windows are also vulnerable in Lunix. Your best bet is to update your version of RealPlayer or switch to mplayer, which doesn't have known vulnerabilities of this sort.

Re:Are all RealPlayer versions affected?

hahaahahahahaha

1 0 1 0 1 0 1 0 1 0 1

15 seconds yet?

helllllo?

Re:Are all RealPlayer versions affected?

[LostCluster]

It seems like this mistake is in some low-level C library involved in the Real codecs, since it's been there ever since RealPlayer 8 and nearly every release after that point. I wonder if that means Helix inherited the bug as well...

Re:Are all RealPlayer versions affected?

[radon28]

Troll, but I'll play along.

From the second link, of all places:

"Exploit 1" affects RealOne Player, RealOne Player v2 for Windows only (all languages), RealPlayer 10 Beta (English only) and RealOne Enterprise Desktop or RealPlayer Enterprise (all versions, standalone and as configured by the RealOne Desktop Manager or RealPlayer Enterprise Manager).

"Exploit 2" affects RealOne Player, RealOne Player v2 (all language versions, all platforms), and RealOne Enterprise Desktop or RealPlayer Enterprise (all versions, standalone and as configured by the RealOne Desktop Manager or RealPlayer Enterprise Manager).

"Exploit 3" affects RealOne Player and RealPlayer 8 (all language versions).

Re:Are all RealPlayer versions affected?

[andy55]

Based on the info available, it's a "lazy programmer" flaw (to borrow a previous poster's words). This is to say that a buf overflow (or something of the like) happens such that you can place an arbitrary sequence of bytes on the stack. When those bytes are executed, however, they'd of course have to be native instructions for the given CPU, meaning that the attacker would have had to create he executable sequence for a specific platform.

So, in nature, the flaws like these are cross-platform (ie, Mac OS X would be vulnerable), but at the end of the day it's super super unlikely to see someone exploit this flaw on a platform other than windows (on an x86). Otherwise, it would require a guy to be malicious, motivated, have a lot of time on his hands, *and* know the ppc instruction set and mac os x runtime architecture like the back of his hand.

Re:Are all RealPlayer versions affected?

Doesn't MPlayer use the same vulnerable Real codecs?

Re:Are all RealPlayer versions affected?

[Jeremy+Erwin]

And yet the only bugfix offered is for the "Windows version." I'm guessing that "Please contact your Platinum representative or RealNetworks Customer Support for an update." is some sort of secret code for "pony up more dough, or we'll hose your system."

Re:Are all RealPlayer versions affected?

[neko9]

yes but for download is only updates for Windows Players and RealPlayer Enterprise Solution... and i'm using Helix Player on Linux so maybe i'm safe...

Re:Are all RealPlayer versions affected?

[Ciderx]

well, good luck with Real Player and firewalls. From my experience, it doesn't matter what your system settings, Real Player goes off and do its own thing. Its a ROYAL pain in the backside and I am doing everything in my power to have my organisation (a University) to drop it...

Yet another reason to not use it, and use this...

[saskboy]

Real Alternative in Media Player Classic. The version I use on XP has some flaws, but it is better than nothing, and I hope doesn't have the same flaws as the REAL Real Player?

List of vuln [buffering]

[QEDog]

The specific [buffering] were:
Exploit 1: To operate remote [buffering] from the domain of the [buffering] opened by a [buffering] file or other file.
Exploit 2: To fashion [buffering] which allow an attacker to on a user's [buffering]
Exploit 3: To fashion [buffering] create Buffer Overrun errors.

Re:List of vuln [buffering]

FYI, they own the visual definition of that term now. :)

Helix?

[ewhac]

So, where can I download a Windows binary of the Open Source Helix player?

Schwab

Re:Helix?

[LostCluster]

I'm not sure if that's any solution. Helix may have inherited this bug when it was started from a subset of the RealPlayer code. Many of the affected versions of Real products bear a "Powered by Helix" marking...

Re:Helix?

[Sloppy]

What are your thoughts?

Well, they gave money to Xiph so they can't be too bad.

Re:Helix?

[elaineg]

Regardless of your feelings about Real, everyone interested in digital media is encouraged to check out the Helix Community. Linux users can check out the latest codecs, RealAudio 10 and RealVideo 10 (+ Ogg and other great codecs) in the Helix Player for Linux. Note, we're migrating the site to an open-source platform running GForge, so it's read-only for the next few days. Thanks in advance for checking it out. --Elaine (on behalf of the Helix Community)

Re:Helix?

[elaineg]

I'm working on finding out if the Helix DNA Client &/or the Helix player are affected or not. In the meantime you can always check out the IRC channel... Server: irc.helixcommunity.org - Port: 6667 - Channel: #helix --Elaine (on behalf of the Helix Community)

Re:Helix?

[loconet]

I am glad a project like this has started. There is a big need for open standards in digital media. Thank you

Re:Helix?

[elaineg]

Hi again - I just confirmed w/Real's tech leads that the vulns do *not* affect either the Helix DNA Client or the Helix Player. --Elaine (on behalf of the Helix Community)

Re:Helix?

[inode_buddha]

Thanks - I'm not surprised really (no pun intended). I was relying on the idea that "Many eyes make all bugs shallow", and also on the traditional *NIX permissions. I've yet to figure out how to build it all properly from CVS. It's a bit strange to admit that, since I'm so used to just getting a big tarball and doing "configure, make, make install" etc. Thanks for confirming it all tho. FWIW I run ok behind my home-made firewall on Fedora (with updates and hacks) and use Helix/Real to watch the TechNet Cast videos of LinuxWorld keynote speeches, etc. if the Helix/Real community is interested in knowing that.

Affects real player alternative too?

[rritterson]

I'm not a programmer, so I have a question for those of you who are.

Would these same sorts of vulner's apply to Real Alternative too, or does the active X wrapper prevent the hack?

Re:Affects real player alternative too?

[MoonFog]

The flaws, found by U.K.-based Next-Generation Security Software, can affect RealNetworks' RealOne Player, RealOne Player version 2, RealPlayer 8, RealPlayer 10 Beta, and the company's RealOne Enterprise products. To exploit them, an attacker crafts the data in a media file in a certain way. When people play or stream the corrupted file in a vulnerable version of RealPlayer, the attacker's code will run, compromising the PC.
The vulnerabilities are in the player, not the codec it seems.

Re:Affects real player alternative too?

[LostCluster]

An ActiveX wrapper in its base defintion offers no protection from this kind of flaw... in simplistic terms, ActiveX is a standard by which a controling program links up to other pre-programed objects which exist either inside a .dll file, or posibly even inside a free-standing .exe file that could possibly be run on its own... if the underlying object contains a flaw, then every other program that refers to that object will end up inheriting that flaw in the same situations, it'll be the same code making that same mistake actually running.

However, since Real Alternative is a reverse-engineered program, it's highly doubtful that they failed to check the same buffer that Real failed to check, so it's unlikely they have the same flaw in their code. If the Alternative has the same bug, then it starts to be likely they stole the code... let's hope we don't have to go there.

Type THAT!

[LostCluster]

From the Real Player Knowledge Base:

To prevent maliciously formatted video streams from providing a backdoor into your system, type the video stream by hand and verify that it contains no malicious code.

Anybody out there who can type at 128 kbps?

Re:Type THAT!

[McGarnacle]

Anybody out there who can type at 128 kbps?

Yes, but not without a good deal of ...buffering... going on.

Everytime a Real story shows up on slashdot, I'm tempted to post this. Looks like I couldn't resist!

I never noticed any corruption in the stream

[morelife]

I still haven't gotten past configuring my message center options in Real Player. Boxes keep popping up. I've bought the full version three times now. What's wrong?

Re:I never noticed any corruption in the stream

I've bought the full version three times now.

Surely you jest.

Re:I never noticed any corruption in the stream

You haven't signed up your home, work and pleasure email address to their "helpful options newsletter".

Then you must buy it two more times, execute a extra special move on the keyboard, and then click on all the adverts at least twice.

That activates the beginning of the introduction of the start of being ready to play something on real player!

So as you can see, very user-friendly.

Re:I never noticed any corruption in the stream

[LostCluster]

Nope. Those of us who bought the red box with a screaming man on the cover back in the late 90s paid $30 or so for it... and got RealAudio Plus 3.0. However, when the 4 version of RealAudio came out, most of the "Plus" features we had paid for got moved into the new free version, and a new set of "Plus" features would be ours if we paid again. Real had a rinse, wash, repeat routine going with that...

Now, if you want the present "Plus" feature set, you have to subscribe to GoldPass and pay for it every month...

Re:I never noticed any corruption in the stream

Boxes keep popping up. I've bought the full version three times now. What's wrong?

It's just The Farnsworth Parabox problem. Nothing to worry about.

Re:I never noticed any corruption in the stream

[nyseal]

The problem is...you bought it three times....

Another one...;)

[jigyasubalak]

Your band is so bad that playing it on Real Player spawns virii

Re:Another one...;)

Problem #1 = That was not comical.
Problem #2 = That was not original.
Problem #3 = THERE IS NO SUCH WORD AS "VIRII". IT'S "VIRUSES", IDIOT.

Re:Another one...;)

[TechniMyoko]

Actually Virii is the correct plural form of virus. No need to go berserk over a typo anyway.

Re:Another one...;)

[geoffspear]

No, it isn't. I suggest you buy a dictionary. Even following Latin pluralization rules, it would be "viri", not "virii".

Re:Another one...;)

What, are you saying I can't get virii on my boxen?

Re:Another one...;)

[TechniMyoko]

I checked, virii does appear to be the correct spelling Exampl1 Example 2 Example 3 Example 4

However, despite those examples, there is also Counter-proof Those going to show how useless the internet is as an information resource

Re:Another one...;)

[geoffspear]

Your proof that it's the correct spelling is that other wankers somewhere also misspell it the same way?

I suppose "nite" is the correct spelling, rather than "night", as well. I can provide references.

Re:Another one...;)

[TechniMyoko]

I was saying my proof didnt count as proof

Conspiracy

here's an idea.

say you have just written a nice little piece of "value-adding" code, say you work at Real, say your boss likes it and would like for every Real customer to have it.

Both of you would know that a person like me keeps Real Player on my computer only for those "must have real" moments and want nothing further to do with Real.

Well, well, well, how can they get me to "upgrade" to their new "spyware" (tin foil here)? That's right - hire a 3rd party to "find" very, very nasty bugs...then claim to have THE SOLUTION!!!! Get the NEW version....with the crapware!!!
br.horyryaryyaryaryyy!!!

oops--correction

That was supposed to be first _post_, not port! sorry about that. too much BSD on the brain. can't wait till we upgrade those damn servers to Linux next week!

here's the patch

1. Uninstall realplayer
2. Get Mediaplayerclassic

No big loss...

[Cyno01]

All the good shits in DivX nowadays, the porn people are really up on the latest and greatest, most are already using DivX 5 standard.

Re:No big loss...

Damn I'm missing out.

Got any links?

Re:No big loss...

Use the P2P netowrks, Kazaa, Gnutella, eMule, etc. Or try http://empornium.us for bittorrent porn....

Owned by jpop

[ce25254]

All your bass are belong to us!

(sorry)

The thing is...

[teamhasnoi]

in order to execute the exploits, you first have to click on thirty-seven checkboxes hidden in a Tibetian monestary.

Then you must send 34 seconds of a certain portion of the movie 'Deliverance' over a period of 22 minutes.

These two things must be accomplished while repeatedly hitting 'alt-f4' on your keyboard, and screaming, "Damn you Real Player! Damn you to Hell!' like a woman.

Of course, if you reboot you'll have to start all over again, after a slight delay.

Um, a longer delay.

Ok, you get one shot at this, I guess. At least the exploit is consistent with their user interface.

Re:The thing is...

[Shut+the+fuck+up!]

You forgot one important step: You must first attempt to to connect to ports 1026, 1027, 1029, 1034, 1026, 1044 and 1035 in that sequence within 5 seconds.

Re:The thing is...

[superyooser]

These two things must be accomplished while repeatedly hitting 'alt-f4' on your keyboard, and screaming, "Damn you Real Player! Damn you to Hell!' like a woman.

That's not an exploit. That's an easter egg.

Does this even matter?

[neomage86]

Seriously, when was the last time anyone really used realplayer? Its almost impossible to find the free version of their software on the website, so there market share dropped tremondously. Furthermore, their software is so bloated and resource hungry, that their software is all but useless. Admittadly, 5 years ago it was cool, but now there are several better alternatives, especially with the advent of winamp 5.

Re:Does this even matter?

[Joe+Tie.]

Four or five hours ago. I havn't used it for music in ages, but the majority of the talk radio shows I listen to are only broadcast on the internet via real's stuff.

Re:Does this even matter?

I used it all last year to access NASCAR.com video, and just used it Friday morning/afternoon to watch NASCAR's Media Day for 3 hours.

Re:Does this even matter?

[Moraelin]

Well, that's what I was thinking when I read about it. "Gee, it'll affect all the 5 people who still use RealPlayer."

Not on OS X?

[ce25254]

It appears from the press release on RealNetworks' site that the vulnerability does not affect the Mac OS X version.

Hm, once again, nothing to worry about.

Re:Not on OS X?

It is very unclear whether or not this affects OS X versions or not. The comment on Real's site says two of the exploits affect all platforms, but there's no link to a fix for the OS X version.

What combination of the following does this mean:
a) The OS X version isn't affected?
b) The OS X version is affected, but Real hasn't released a fix?
c) That Real's comment is incomplete?
d) No one knows?

So they want you to get the new version?

[enosys]

It seems there are no fixes for old versions and you have to get the latest one. This sucks. I hate getting new RealPlayer versions because you always have to wonder what crap they've added in the next version.

Has anybody tried Real Alternative?

Re:So they want you to get the new version?

The best way to run RealPlayer (and other spyware-ish software) is with Kerio or another decent firewall. Realplayer tries to phone home a lot. Check every IP address it tries to connect to - if it is trying to phone home, block that IP permanently for RealPlayer. There's only a few that you need to block, in 207.188.24.*

After a while, you won't have to worry about realplayer spying on you...

Re:So they want you to get the new version?

RealPlayer 10 and Helix (Real's open-source player) are both spyware-free.

Re:So they want you to get the new version?

[superyooser]

What are you talking about? They have an exhaustive Legacy Software Archive that goes all the way back to 16-bit versions for Windows 3.1 and OS/2.

Re:So they want you to get the new version?

[gl4ss]

yeah but what good is legacy software archive of UNPATCHED products?

Hmm

[Niacin]

..and in other news, Real Player now hijacking PC's with a new vulner.....

What about Real Alternative?

[e40]

I would imagine that it is not affected... perhaps this is a good time to plug it. Get it from here. Just Media Player Classic is also available.

Re:What about Real Alternative?

[TiggsPanther]

Actually, I want to know if anyone knows yet if the exploits affect RealAlternative or not.
Won't stop me using it, though. 'Cos at least I can stop it from misbehabing and actually deinstall the damn thing if I need to. I don't trust RealOne to even get the latter right.

Tiggs

Re:What about Real Alternative?

[moonbender]

I don't know about Real Alternative, but I imagine it works similar to MPC in that it uses the original DLLs provided by Real Inc. to display the media content. So if there's a bug/security flaw in those DLLs, it might well translate to a vulnerability in MPC and other programs utilising the Real codecs.

POS Software

[ToadMan8]

I'm sorry but there is simply nothing good about this piece of software. It's sucked since version one and sucks progressively more as time goes on. As a matter of fact Microsoft's wmv and wma kicks the shit out of it and that's saying something.

I installed "V10" today and unchecked EVERYTHING about internet connections, update checkers, shortcuts, file associations etc and the damn thing still did it anyway. I eventually copied it to my gentoo box and mplayer handled it fine besides not being able to queue or fast forward. God I HATE RM shit. Gaa!

heheh, good work

you just got another mod point. you be up to +5 Interesting by the time I'm done posting this. I bow before your leet trolling skills.

Helix?

[inode_buddha]

I didn't see any vulns mentioned for the linux Helix client, tho IIRC there's plenty of RP8 and G2 installs. I don't imagine that Helix would be any more vulnerable than RealOne if they have that much in common, and it'd still be restricted to my user and home dir (linux). Ideas?

*coughIEcough*

[FreemanPatrickHenry]

RealNetworks: We won't, you see, patch the product. But we have the next best thing! All you need to do is not click on or load any malicious software!

Oh, wait...

My predicament...

[x] I'd uninstall Realplayer, but [insert choice pr0n site] still streams its content with it and I can't be without it.

Possible Solution: If we can get the pr0n industry to take an interest in OSS, then Linux on the desktop would excel!

Re:My predicament...

[CaptnMArk]

It would finally be usable without the mouse, because the right hand would be unavailable.

What about the free OS X player?

[Selecter]

I didnt see anything about the free OS X version from a quick scan of the threads. BTW, the player on OS X is not nearly as bad as the Windows player. It doesnt hijack anything nor install spyware. It stays away until it's called upon. They still littler the desktop with little rm icons though - they should auto clean that shit when the file is done playing....

Release bug info to public = go to jail

I hope we do plan to do what's right and throw the discovery team in jail.

wow

we've got some real winners moderating tonight. this gets modded as flamebait while the debian troll gets a +5 Interesting (should've been modded Funny) score posting about how all his openbsd boxes are crashing. ah well, I haven't M2'd in a while so it's as much my fault as anyone else's.

Here's a complete fix:

[Futurepower(R)]

For those new to Windows, here's a complete fix for the vulnerabilities and sneakiness of RealPlayer:

Start / Settings / Control Panel / Add or Remove Programs / RealOne / Remove

Re:Here's a complete fix:

[NotQuiteReal]

If only it were that easy to get rid of this POS.

Last time I had to eradicate Real Player [from one of my kid's machines] I had to get Ad-Aware to help, and reboot several times...

heh.

Re:Here's a complete fix:

[Caseyscrib]

For those new to Windows, here's a complete fix for the vulnerabilities...

try format C:

Re:Here's a complete fix:

Except when I tried it this morning they've deliberately broken the uninstall. I'm in for some registry hacking to excise this heap of shit ;(

Re:Damn Windows!

What's SSH have to do with Linux??? If you're talking something about OpenSSH and Linux being insecure (I assume RedHat of course), it's not the Linux folks that have made it... It's OpenSSH and OpenBSD, that have also "ported" it to Linux.

If you don't like Linux or SSH, go back to windows and use telnet.

Re:Instructions -- Alternative Codecs

[X-os]

Someone's bound to point this out, might as well be me.

There has been significant development on "alternative codec" to both Real and Quicktime. Google for "Real alternative" or "Quicktime alternative" to find the codecs. They can also be downloaded in a "bundle" of sorts from here : http://www.k-litecodecpack.com/

I've used the quicktime one with Media Player Classic and have been very happy with it.

I kind of despise Real player, and rarely find any good content that uses it, so I haven't actually wasted time downloading the replacement codec, but I'd be willing to bet it works fine.

Re:Damn Windows!

FYI, you can get ssh programs for linux & unix from www.ssh.com as well.

They have some useful features that OpenSSH does not, like being able to use signed certificates instead of plain RSA or DSA keys. Signed certs make it much harder to do a man-in-the-middle attack.

The exploits are not buffer overflows...

cause one though or sure about real player is that its buffers are never full.

Buffering.... 86%

This one is too easy.

[Montreal+Geek]

Be definition if you have any software from RealNetworks on your box, then a malicious attacker is running arbitary code.

Spyware, adware, "helpful" browser adjuncts.

Oh, wait, you mean another malicious attacker!

-- MG

VIRII IS TOO A WORD!!!

And so grrmungle. Because I used it makes it English you ugly grrmungle.

Re:Not on OS X? -- grr...

[andy55]

grr... Not true This is not a OS flaw issue. Sure, this flaw may not *happen* to make their mac os x build vulnerable, but that's only a coincidence when the flaw is in their source code (that causes a buf overflow).

Before you tout your OS as the man, you should know what it deserves credit for and what it doesn't. For the record. My machine is a 17" G4 that I swear by, and I'd fight to the death before using OS as my daily driver.

Buffering...

[arvindn]

Its ironic that one of the vulnerabilities is a buffer overflow.

Realplayer is not a virus!

[stfvon007]

Virii are small and efficent. Realplayer is not.

Re:Realplayer is not a virus!

According to slashdot users I'm funny, insightful, and interesting! So why arn't girls all over me?

Because they're girls, and Slashdot users are guys. On the other hand, gay techies would probably be all over you, if you like that sort of thing.

Real Alternative

[nuntius]

I used it with mixed success. At first, it seemed great. Then something happened and files wouldn't play. When I uninstalled it, RealPlayer wouldn't work -or- uninstall correctly. Finally I found the command-line method of uninstalling RealPlayer (which cleaned up the registry, I think).

After that, I reinstalled RealPlayer and gave up. Although it was cool playing Real files in non-Real players for a while.

I might try RealAlternative again some time.

Fuck Real Player

There are only 2 types of Real Player users:

1) New users who just finished downloading the software and don't hate Real Player yet

2) FUCKING STUPID PEOPLE

Re:Fuck Real Player

[Tarwn]

How about people that just bought a new work machine and have to deal with Real Media pre-installed?

Real is evil

A malicious attacker can execute arbitrary code by offering corrupted RealAudio stream. You mean the Real executives?

The Three Vulnerabilities are....

[Viking5150]

buffering.......buffering.......buffering......

Re:The Three Vulnerabilities are....

[Dr.+Shim]

...bang! j00 b3 h4x3d!!11

Re:Yet another reason to not use it, and use this.

MPC has just repackaged the Real codecs, so they likely have the same flaws.

GSM much better than any Real codec for speech

[gnuman99]

What about the GSM encoding?

libgsm1

This compresses talk stream down to 1.6kB/s (or 13kbits). From their readme file:

GSM 06.10 13 kbit/s RPE/LTP speech compression available
-----------

The Communications and Operating Systems Research Group (KBS) at the
Technische Universitaet Berlin is currently working on a set of
UNIX-based tools for computer-mediated telecooperation that will be
made freely available.

Isn't this much better than some close-source codec? Real probably uses GSM for that 14kbps codec anyway!!

BTW, this codec is excellent for text and even somewhat good for music (though like a bad AM radio in the music area :)
Apple now supports GSM in their player :)

RealNetworks, Releases Update to Address Security.

RealNetworks, Inc. has recently been made aware of security vulnerabilities that could potentially allow an attacker to run arbitrary code on a user's machine.

The specific exploits were:

* Exploit 1: To operate remote Javascript from the domain of the URL opened by a SMIL file or other file.
* Exploit 2: To fashion RMP files which allow an attacker to download and execute arbitrary code on a user's machine.
* Exploit 3: To fashion media files to create "Buffer Overrun" errors.

While we have not received reports of anyone actually being attacked with this exploit, all security vulnerabilities are taken very seriously by RealNetworks. RealNetworks has found and fixed the problem.

Affected Software:

"Exploit 1" affects RealOne Player, RealOne Player v2 for Windows only (all languages), RealPlayer 10 Beta (English only) and RealOne Enterprise Desktop or RealPlayer Enterprise (all versions, standalone and as configured by the RealOne Desktop Manager or RealPlayer Enterprise Manager).

"Exploit 2" affects RealOne Player, RealOne Player v2 (all language versions, all platforms), and RealOne Enterprise Desktop or RealPlayer Enterprise (all versions, standalone and as configured by the RealOne Desktop Manager or RealPlayer Enterprise Manager).

"Exploit 3" affects RealOne Player and RealPlayer 8 (all language versions).

Workaround:

Dont run our shit.

Your Alternative is ...

[Poligraf]

... Microsoft Monopoly.

The thing is that Real does not have a source of income. Thus, they need to squeeze pennies out of every possible opportunities often not playing nicely (I mean charging for crap, ads and SPAM).

At the same time, every format owner is trying to make his one a default. Not supporting Real means that their "commercial" format will die causing all contents providers switch to .WMV that looks like "the default choice" for many.

It is the repetition of the browser wars.

BTW, I avoid most of their crap by using older version (revision 6.0.6) of the RealPlayer.

Re:Your Alternative is ...

[nyseal]

Good for you...it's nice to see someone on Slashdot that doesn't mind being voluntarily spammed and upgraded to death. KUDO!

Re:Your Alternative is ...

[Poligraf]

Have you heard the word "postini"? ;-)

As for upgrades, this version is not very obtrusive with that. It offers to apgrade only when I start the player, i.e. after reboot. And I don't reboot too often.

Re:Not on OS X? -- grr...

[ce25254]

Hm, I originally from reading their press release, I didn't quite get the picture that this also applied to the OS X version. Now that I re-read the press release, and the other post here, I am still equally confused.

Back in my days

You kids are getting spoiled by your exploits delivered conveniently in a real media stream. Back in my days I had to get up in the morning, at ten o'clock at night, half an hour before I went to bed, eat a lump of cold poison, work twenty-nine hours a day down at the mine and dig out my exploits and pay the mine-owner for permission to come to work, and when we got home, our dad would kill us and dance about on our graves, singing Hallelujah!

Oh, ay. And you try and tell the young people of today that, and they won't believe you.

Re:Back in my days

Dont tell me you had the luxury of eating cold poison. We had 'eat' the exploits that we dug up !

Re:Back in my days

Nope, Nope

Real--ly?

[Genghis9]

It's so surreal, really.

heh heh

YO TUBGIRL LICK YOUR LOLLY

Lameness filter encountered. Post aborted!
Reason: Your comment looks too much like ascii art.

Sorry, but...

[magnum3065]

I think you will have the same vulnerabilities. Media Player Classic simply uses the codecs from Real, so any flaws in the codecs will still be there despite using Media Player Classic. Real Alternative seems interesting though since it lets you install the codecs without having to actually install one of the players. I don't use Windows anymore, but I could use that to get the RealOne crap off my the computers of my family members.

Re:Sorry, but...

[real_smiff]

Real Alternative is a bundle of Media Player Classic + Real codecs. MPC on its own contains only a splitter and still needs the decoder DLLs. I don't believe it even supports streaming. Maybe from this you can deduce whether or not the vulnerabilities are still there. Right now my brain is fried :)

Re:Sorry, but...

Streamed playback goes through more dlls than local file playback for which it has its own demuxer.

Re:Sorry, but...

[magnum3065]

The information on the exploits is rather vauge, but the c|net article says "when people play or stream the corrupted file" so I'm not sure that the exploit is necessarily in the streaming code, it seems like it applies to any playing of Real files.

The Microsoft response

[fireman+sam]

Real Networks have decided to follow Microsoft's lead, and instead of fixing the security flaw (see Microsoft and passwords in http headers) Real Networks have have removed the offending feature.

The next version of Real Player will have the ability of plaing *.rma and *.rmv files removed to protect end users from the evil internet.

All users of Real Player are urged to update their player. An email virus^H^H^H^H^H^H will be sent to every registered user containing a patch to be executed as the Administrator user.

From Boris Badenoff
Real Networks Russia

Re:The Microsoft response

[TrancePhreak]

The next version of emacs will not support the Backspace key, instead a string of "^H^H^H^H^H^H"'s will be inserted.... Oh wait, that's this version.

Re:The Microsoft response

[AndroidCat]

It's not just IE bugs, it's general policy. MyDoom apparently would put bogus entries in hosts to block access to support sites. Microsoft's solution? Delete hosts! (Scroll down to "RECOVERY (UPDATED):".)

This suggests a more general plan for dealing with any Windows problem.

Gah!

[222]

Upgrade my old, yet "safe" version of Realplayer, or risk having my box get owned...
Well, i do backup regularly....

"upgrade to the latest" strategy, no real patching

[MMHere]

Real's approach has always been to have their latest & "greatest" software running on your PC. ("greatest" software is less well tested).

So I run RealPlayer8 Basic when I need to. Their fix is to have me replace it with RealPlayer10 Gold? I don't wanna.

I also don't like having to upgrade to a newer set of local softwares simply because the "file format" has changed. There aren't that many advances in formats/compression over time, and it seems to me that: new formats are released more frequently than necessary, thus "requiring upgrades" to new readers of said formats.

(A) Patch the buggy apps you still support; don't make us install new (less well tested) software so often;

(B) Don't tie the desire to distribute your latest code to [often] unnecessary media format changes.

"I Sam thee to Dayton! (It's worse than Cleveland.)"

Just in case you were thinking about a free trial

[Evets]

I signed up for the real player plus free trial - hoping that the popups and other buy-this-too spamming tactics would end if I forked over a monthly fee.

1) The pop-ups didn't stop. In fact, they increased.
2) Trying to cancel the free trial involves not only going to a web site to cancel, but after you do that you have to call and cancel.
3) To add insult to injury, it takes at least 60 minutes on the phone to cancel your free trial.
4) There is no option on the number they have you dial to cancel your account.
5) If you do manage to successfully navigate their phone menu system, the guy you end up getting on the phone doesn't cancel your account until you listen to him hard sell you and harrass you about cancelling.

I actually would like to have realplayer installed on my machine to take advantage of the occasional cnn or espn clip that is only available on real player, but the fact that they send you endless amounts of spam on top of putting popups all over your desktop to buy their products really makes me avoid this application on principal. I know that there are ways to configure things to reduce these problems, but quite frankly, you can't stop them completely without going through a great amount of effort.

Right about the Spam

[zoney_ie]

Real networks have in the passed on customer details (email address at least) to third parties in the past. I've seen them caught out when a form of email address "real@mydomain.com" was used - where this will reach the mail administrator at "mydomain.com". You guessed it, after using the address on real networks site, suddenly spam starts being sent, addressed to real@mydomain.com

Someone could try this trick again if you have their own mailserver - see if they're still at it.

Re:Right about the Spam

[BobTheLawyer]

are you sure that couldn't have been a dictionary attack?

Does we know ?

Do we know seems to be better... :-)

Re:Does we know ?

Yes, it does. It went from "does anyone" to "does we" with the lazy factor involved.

Pssst

Pssst, i don't use Real .. stuf. Si should you!

Grtz,
M

Windows repair: Boot from Mandrake CD.

[Futurepower(R)]

Or, try booting from a Mandrake install CD.

Real Alternative for Mac OS X ?

[malaba]

is Real Alternative running on Mac OS X ?

didn't find it....

thanks

Re:Instructions -- Alternative Codecs

This is not informative, this is misinformation. Real alternative and Quicktime alternative don't give you alternative codecs but alternative players that use the original codecs.

Wrong

Real Alternative is a reverse-engineered program

No, its simply an ActiveX wrapper for the original Real dll's, nothing is reverse engineered

then it starts to be likely they stole the code
from where ?
even Real's pseudo-open-source helixcommunity.net the non important gui crap is open but the codecs (the important bit) are still very much closed source and binary format only, so no stealing code as there is none to steal

so yes Real alternative contains this flaw, but if you want to patch it by installing Real's new player then go right ahead, iam sure they will _love_ for you to install their new "secure" player (along with all its naggging/spyware infestation)

And this is why I never installed RealAudio..

I only play mpegs with mpeg_play, where it's also possible to save the data and review later. RealPlayer can suck my bawls.

Acroreader too. I only use xpdf.

Installing spyware/trojanware/backdoorware (software with vunerabilities for which the company pretends they are unaware of, but some people know them very well), on many systems, is worth much more than selling a couple of packages these days.

Ploy to upgrade?

[madchris]

Granted, the software may be buggy, their "fix" is to upgrade. A market ploy comes to mind.

Original Advisory

Can be found here:
http://www.nextgenss.com/advisories/realone .txt

Re:Damn Windows!

[Aardpig]

If you don't like Linux or SSH, go back to windows and use telnet.

I was joking. You really are very stupid. As are the idiots who moderated my post as "troll".

Re:Heh

like jay and silent bob said...

fuck real networks, fuck them up their stupid asses!

Re:For serious?

[MrBlint]

So that I can listen to the BBC's massive audio archives. Some of it is now available in Windows Media format but you still can't access most of the site without using Real Player. Real Player may be (is) crap but having to miss out on the BBC's listen again pages would be even more crap.

they need a security hole...

[enrico_suave]

They need a security hole that fixes the ..." buffering... buffering... buffering..."

e

Helix?

[loconet]

Hey question for you guys, I've seen a lot of negative comments about Real, most of which are understandable as I myself until recently refused to install their bloated software.

Anyone familiar with the Helix project (www.helixcommunity.org)?

From the website:


The Helix community is a collaborative effort among Real, independent developers, and leading companies to extend the Helix DNA(TM) platform, the first open multi-format platform for digital media creation, delivery and playback. The Helix DNA platform is comprised of the following:

* Helix DNA Client
* Helix DNA Producer
* Helix DNA Server
* RealAudio and RealVideo codecs


I'm not too familiar with it but is it a step in the right direction for a company that once used to be on the cutting edge of digital media and now is trying to get back in the game? Or is it just another one of their corporate blood sucking tacticts? What are your thoughts?

Re:WHAT WILL TACO DO FOR A GAY PORN MOVIE PLAYER N

ror!

TIMMAH! & COWBOIKNEAL WILL STRIP TEASE FOR HIM

uuuuuunnnnnggggghhhhhhhhhh!!!!!

You know nothing.

[MisterSquid]

I hate Real, and I hate Quicktime. [ . . . ] I honestly want them both out of the way so that more open standards will take their place faster.

Quicktime is a wrapper, not a file format. As such, it supports open standards.

If you're a Windows user...

Download "Real Alternative"..

Get Quicktime Alternative while you're at it.

That's what I was wondering(+)

[Mycroft_514]

Since the only answer to fixing the version 8 bug (the last free version, which I still run on my machines) is to upgrade to the pay for it versions.

Oh, and I can't use Real at work anyway, since it is incompatible with the firewall here.

The only show I really listen to offered Real, WMP, and they were even offering Winamp for a while. Now it is WMP and that's it. Haven't actually used Real for some time. Looks like it is about time to dump their donkey.

Real's solution doesn't fully address the problem!

[Westech]

Real Networks posted the instructions on dealing with security flaws.

A better way to deal with these security flaws (and the bloated piece of crap that is RealPlayer) is to uninstall RealPlayer and download Real Alternative.

Malicious code? Nasty

[Scrameustache]

Watch out, with a hole like that someone could install any malicous code. Trojans, spam machines, even Realplay...what? Oh...nevermind.

Paula Abdul, not Simon makes that show

Am I the only one who sees the irony of Paula Abdul critiquing other people's singing?

Re:For serious?

[stoneystoney]

You could use alternative real player in combination with media player classic http://www.majorgeeks.com/download4094.html ...and free yourself from two bloatware packages in one fell swoop. We love the beeb!

Where's this "popular" RealPlayer?

[Sinistar2k]

I'm aware of "pain in the ass" RealPlayer and RealPlayer "adware for your spyware only", but I haven't seen the "popular" one yet.

And I haven't tired of putting "things" in "quotes", either.

can't find the free player? neither can "car talk"

[aderusha]

from http://cartalk.com/Radio/windowsmedia-switch.html:

Car Talk will now be available via the Windows Media Player, rather than RealMedia. That's right, we're unceremoniously dumping RealMedia.

Why? Because, for a long time, we've had tons of complaints about RealNetworks. And the one that ticks us off the most is the perceived trickery they use to sell their premium products. This is just our opinion, mind you, but it's shared by enough of our listeners, that we finally decided to take action.

Here's the problem. In order to hear our audio, you have to go to Real.com and download their "free" RealPlayer. But when you get to the web site, the free player is harder to find than Osama Bin Laden at night. And the site seems to do everything it possibly can to get you to "buy" a player instead. You have to work very hard to get the free player. And we think that stinks. And get this. It stinks so much that it even makes Microsoft look good by comparison. That's something, huh?

We've heard from many of our fans that have been duped, and who have accidentally shelled out their hard-earned dineros. And we won't even get into the ways that the RealPlayer tries to take over your computer once you install it. So, after surveying the alternatives, we're switching to Windows Media Player (which works on Macs, too).

For those of you who don't yet have the Windows Media Player installed, you can get it for Windows--for free--at:
http://www.microsoft.com/windows/window smedia/9ser ies/player.aspx

And for Mac--for free--at:
http://www.microsoft.com/windows/window smedia/soft ware/Macintosh/osx/default.aspx for OS X or
http://www.microsoft.com/windows/windowsmedia/ down load/mac71.aspx for OS 8.1 and up

Listening to Car Talk is painful enough by itself. You don't need more angst. If you'd rather take Car Talk with you, you can also download the show anytime by clicking on the Audible link at:
http://www.cartalk.com/Radio/Show/ (Cheapskate alert: fee *definitely* involved.)

when major broadcasters are dumping real's products due to their "betcha can't find the free version" antics, maybe real would wisen up and actually make good on their "free" players.

not that i care - real alternative and media player classic take care of my windows-based media viewing just fine, minus all the spyware and other crap.

A Semantic Issue

[Obyron]

Realplayer is popular?! Stop the presses! I think a better word for Realplayer (that doesn't contain only four letters) is prolific. Popular implies that people actually like having to use it.

The "Fix" is to upgrade to RealOne -- no thanks!

[WD]

The only fact that allowed RealPlayer to remain on my system was that you didn't need to upgrade to the horrible, slow, ad-infested RealOne player. I've had no problem playing any "real" content with RealPlayer 8. It's not the best player, but compared to RealOne it is lean and mean.

For people using RP8, the "fix" is to upgrade to the latest RealOne player (V2).

Given those choices, I think any remaining RealPlayer users will choose to uninstall the software.

My own instructions: don't install real player.

I follow this because they are assholes, but it works just as well for avoiding their bugs too.

Try mplayer classic.

Smartphones

I've got RP on my Nokia 3650...what about that?
Again, the article is weak and has few details.
And real wont say how many are affected (security through obscurity?)

jerkwad script kiddies...

Goddamn RealNetworks

You know, way back when, I used to like RealPlayer. It was my source for 24/7 music videos, news, and other good stuff. Unfortunately, the last good RealPlayer was RealPlayer G2.
The advent of RealPlayer 8 ushered in the era of "pay or get lost" attitude that makes me despise Real today. Granted, it wasn't too bad; it didn't try to take over every part of your computer so that all your Word files would now be handled by the RealOne Player. But it was still annoying to have to shut off the "StartCenter" with every install and be told, "Your computer will work better with our resource hog running! Are you sure?"
RealOne is even worse. Not only does it try to associate itself with every possible file format on your system (even after you restore your associations to the right ones), it takes away features that used to be free (you're telling me I have to pay to use a compact player? I don't think so).
I think I'll stick with RealPlayer 8 and take the risk.

You used Realplayer for pr0n?

I pity you.

fap
fap
fap
[buffering]
fap
fap
[buffering ]
fap

(someone had to say it..)

Re:Instructions -- Alternative Codecs

[Tackhead]

> There has been significant development on "alternative codec" to both Real and Quicktime. Google for "Real alternative" or "Quicktime alternative" to find the codecs. They can also be downloaded in a "bundle" of sorts from here : http://www.k-litecodecpack.com/

I, too, use Media Player Classic on my winboxen.

But because MPC merely uses the Real codecs, what if the vulnerability is in the DLL for the codec, not the player?

MPC could be as vulnerable as RP8 or RealOne, at least until we figure out exactly is patched in the "update" Real is offering as a workaround. Did they update the PLAYER, or did they update the DLLs that render the .rm files?

Next Headline

[Cruciform]

"Millions of Vulnerabilities Waiting to be Exploited!"

They're called users :)

This is why I'm glad I did away with Real

[Tiado]

At least I don't have to worry about such a vulnerability.

I stopped using RealPlayer at version 7, I refuse to upgrade to any higher version. I used to use Real for virtually all my media, but now I only use RP7 for occasionally playing the RealAudio files that I kept.

Re:Heh

[Douglas+Simmons]

I'm not sure how many mod points you got because I have all troll modified comments set at +5, but let me say this, I put you on my "friends" list even though you already were a friend of a friend. Thank you for having and sharing an incredible sense of humor.

I run Windows Media Player to avoid RealExploits

[gfecyk]

heh heh heh

Don't write me off as completely pro-Microsoft though - I'm still running WMP 6.4. As long as the WM9 and earlier codecs work for 6.4 and later, why upgrade?

How about Helix server?

[rabs]

Seems like people have a lot to say about the quality of Real Player. My company ia about to purchase their Helix server. Bad move?

- rabs

Download Realplayer 8 from www.oldversion.com

[cjellibebi]

> (Can you tell? I'm extremely tempted to install realplayer, just to be able to listen to BBC worldservice broadcasts-- even though I know it'll slow my computer down, violate my privacy, and open my computer up to attacks...)

You can use an old version of RealPlayer downloaded from http://www.oldversion.com that does not mess around with your PC.

Realplayer 8 is the last version of RealPlayer released before RealPlayer One which is the first version to use devious tricks to hide the checked no-spam/adware/malware checkboxes. Although RealPlayer 8 also has some opt-out ad thingies, at least in RealPlayer 8, they are easy to find and disabling them is straightforward. The only annoying thing about my version of Reallayer 8 is that occasionally, it asks me to upgrade to RealPlayer One, but this is easy to ignore.

As you can see from the front-page of oldversion.com, RealPlayer 8 is one of the most popular downloads on that site.

Re:For serious?

[MrBlint]

Thanks for the link I'll give it a try.