Slashdot Mirror

← Back to Stories (view on slashdot.org)

Three Vulnerabilities Discovered in Real Player

Posted by CowboyNeal on from the playing-for-a-fool dept.

prostoalex writes "British Next-Generation Security Software discovered three vulnerabilities in popular Real Player. A malicious attacker can execute arbitrary code by offering corrupted RealAudio stream. Real Networks posted the instructions on dealing with security flaws."

15 of 286 comments (clear)

  1. Linux by RoadkillBunny · · Score: 1, Informative

    How about Linux, are we safe? I didn't see any reference...

    --
    Cheers,
    RoadkillBunny
  2. Re:Are all RealPlayer versions affected? by Anonymous Coward · · Score: 1, Informative

    The same versions of RealPlayer and RealOne that are vulnerable in Windows are also vulnerable in Lunix. Your best bet is to update your version of RealPlayer or switch to mplayer, which doesn't have known vulnerabilities of this sort.

  3. Re:Affects real player alternative too? by LostCluster · · Score: 4, Informative

    An ActiveX wrapper in its base defintion offers no protection from this kind of flaw... in simplistic terms, ActiveX is a standard by which a controling program links up to other pre-programed objects which exist either inside a .dll file, or posibly even inside a free-standing .exe file that could possibly be run on its own... if the underlying object contains a flaw, then every other program that refers to that object will end up inheriting that flaw in the same situations, it'll be the same code making that same mistake actually running.

    However, since Real Alternative is a reverse-engineered program, it's highly doubtful that they failed to check the same buffer that Real failed to check, so it's unlikely they have the same flaw in their code. If the Alternative has the same bug, then it starts to be likely they stole the code... let's hope we don't have to go there.

  4. Not on OS X? by ce25254 · · Score: 5, Informative

    It appears from the press release on RealNetworks' site that the vulnerability does not affect the Mac OS X version.

    Hm, once again, nothing to worry about.

    1. Re:Not on OS X? by Anonymous Coward · · Score: 2, Informative

      It is very unclear whether or not this affects OS X versions or not. The comment on Real's site says two of the exploits affect all platforms, but there's no link to a fix for the OS X version.

      What combination of the following does this mean:
      a) The OS X version isn't affected?
      b) The OS X version is affected, but Real hasn't released a fix?
      c) That Real's comment is incomplete?
      d) No one knows?

  5. So they want you to get the new version? by enosys · · Score: 2, Informative
    It seems there are no fixes for old versions and you have to get the latest one. This sucks. I hate getting new RealPlayer versions because you always have to wonder what crap they've added in the next version.

    Has anybody tried Real Alternative?

  6. What about Real Alternative? by e40 · · Score: 4, Informative

    I would imagine that it is not affected... perhaps this is a good time to plug it. Get it from here. Just Media Player Classic is also available.

  7. Re:Are all RealPlayer versions affected? by LostCluster · · Score: 2, Informative

    It seems like this mistake is in some low-level C library involved in the Real codecs, since it's been there ever since RealPlayer 8 and nearly every release after that point. I wonder if that means Helix inherited the bug as well...

  8. POS Software by ToadMan8 · · Score: 2, Informative

    I'm sorry but there is simply nothing good about this piece of software. It's sucked since version one and sucks progressively more as time goes on. As a matter of fact Microsoft's wmv and wma kicks the shit out of it and that's saying something.

    I installed "V10" today and unchecked EVERYTHING about internet connections, update checkers, shortcuts, file associations etc and the damn thing still did it anyway. I eventually copied it to my gentoo box and mplayer handled it fine besides not being able to queue or fast forward. God I HATE RM shit. Gaa!

    --
    I haven't posted in so long, my sig is out of date.
  9. Re:I miss Progressive Networks... by LostCluster · · Score: 4, Informative

    Well, the old RealAudio business model didn't work. Give away the client-side software and charge for the encoders... well, eventually people stopped buying the encoders because they realized that nobody could make money streaming content on the Internet for free.

    Rather than fold, Real adapted into a pay-for-content distributor. Not only did they provide the tech to stream content, but they provided the structure with which the content owners could charge for the right to hear the stream, and Real and content owners split the profits.

    But that basically makes them no better than a cable TV company, who is more interested in collecting the money than providing perfect service. Afterall, for most of the content Real is selling, it's take it or leave it offers... Real is the only place you can get certain major sports and news content.

    I guess the free streaming content of the 1999 era was too good to have lasted...

  10. Re:Are all RealPlayer versions affected? by radon28 · · Score: 4, Informative

    Troll, but I'll play along.

    From the second link, of all places:

    "Exploit 1" affects RealOne Player, RealOne Player v2 for Windows only (all languages), RealPlayer 10 Beta (English only) and RealOne Enterprise Desktop or RealPlayer Enterprise (all versions, standalone and as configured by the RealOne Desktop Manager or RealPlayer Enterprise Manager).

    "Exploit 2" affects RealOne Player, RealOne Player v2 (all language versions, all platforms), and RealOne Enterprise Desktop or RealPlayer Enterprise (all versions, standalone and as configured by the RealOne Desktop Manager or RealPlayer Enterprise Manager).

    "Exploit 3" affects RealOne Player and RealPlayer 8 (all language versions).

  11. Re:Instructions -- Alternative Codecs by X-os · · Score: 2, Informative

    Someone's bound to point this out, might as well be me.

    There has been significant development on "alternative codec" to both Real and Quicktime. Google for "Real alternative" or "Quicktime alternative" to find the codecs. They can also be downloaded in a "bundle" of sorts from here : http://www.k-litecodecpack.com/

    I've used the quicktime one with Media Player Classic and have been very happy with it.

    I kind of despise Real player, and rarely find any good content that uses it, so I haven't actually wasted time downloading the replacement codec, but I'd be willing to bet it works fine.

  12. GSM much better than any Real codec for speech by gnuman99 · · Score: 2, Informative
    What about the GSM encoding?

    libgsm1

    This compresses talk stream down to 1.6kB/s (or 13kbits). From their readme file:

    GSM 06.10 13 kbit/s RPE/LTP speech compression available
    -----------

    The Communications and Operating Systems Research Group (KBS) at the
    Technische Universitaet Berlin is currently working on a set of
    UNIX-based tools for computer-mediated telecooperation that will be
    made freely available.

    Isn't this much better than some close-source codec? Real probably uses GSM for that 14kbps codec anyway!!

    BTW, this codec is excellent for text and even somewhat good for music (though like a bad AM radio in the music area :)
    Apple now supports GSM in their player :)

  13. RealNetworks, Releases Update to Address Security. by Anonymous Coward · · Score: 3, Informative

    RealNetworks, Inc. has recently been made aware of security vulnerabilities that could potentially allow an attacker to run arbitrary code on a user's machine.

    The specific exploits were:

    * Exploit 1: To operate remote Javascript from the domain of the URL opened by a SMIL file or other file.
    * Exploit 2: To fashion RMP files which allow an attacker to download and execute arbitrary code on a user's machine.
    * Exploit 3: To fashion media files to create "Buffer Overrun" errors.

    While we have not received reports of anyone actually being attacked with this exploit, all security vulnerabilities are taken very seriously by RealNetworks. RealNetworks has found and fixed the problem.

    Affected Software:

    "Exploit 1" affects RealOne Player, RealOne Player v2 for Windows only (all languages), RealPlayer 10 Beta (English only) and RealOne Enterprise Desktop or RealPlayer Enterprise (all versions, standalone and as configured by the RealOne Desktop Manager or RealPlayer Enterprise Manager).

    "Exploit 2" affects RealOne Player, RealOne Player v2 (all language versions, all platforms), and RealOne Enterprise Desktop or RealPlayer Enterprise (all versions, standalone and as configured by the RealOne Desktop Manager or RealPlayer Enterprise Manager).

    "Exploit 3" affects RealOne Player and RealPlayer 8 (all language versions).

    Workaround:

    Dont run our shit.

  14. Re:Instructions -- Alternative Codecs by Anonymous Coward · · Score: 2, Informative

    This is not informative, this is misinformation. Real alternative and Quicktime alternative don't give you alternative codecs but alternative players that use the original codecs.