Slashdot Mirror

← Back to Stories (view on slashdot.org)

Three Vulnerabilities Discovered in Real Player

Posted by CowboyNeal on from the playing-for-a-fool dept.

prostoalex writes "British Next-Generation Security Software discovered three vulnerabilities in popular Real Player. A malicious attacker can execute arbitrary code by offering corrupted RealAudio stream. Real Networks posted the instructions on dealing with security flaws."

5 of 286 comments (clear)

  1. Re:Affects real player alternative too? by LostCluster · · Score: 4, Informative

    An ActiveX wrapper in its base defintion offers no protection from this kind of flaw... in simplistic terms, ActiveX is a standard by which a controling program links up to other pre-programed objects which exist either inside a .dll file, or posibly even inside a free-standing .exe file that could possibly be run on its own... if the underlying object contains a flaw, then every other program that refers to that object will end up inheriting that flaw in the same situations, it'll be the same code making that same mistake actually running.

    However, since Real Alternative is a reverse-engineered program, it's highly doubtful that they failed to check the same buffer that Real failed to check, so it's unlikely they have the same flaw in their code. If the Alternative has the same bug, then it starts to be likely they stole the code... let's hope we don't have to go there.

  2. Not on OS X? by ce25254 · · Score: 5, Informative

    It appears from the press release on RealNetworks' site that the vulnerability does not affect the Mac OS X version.

    Hm, once again, nothing to worry about.

  3. What about Real Alternative? by e40 · · Score: 4, Informative

    I would imagine that it is not affected... perhaps this is a good time to plug it. Get it from here. Just Media Player Classic is also available.

  4. Re:I miss Progressive Networks... by LostCluster · · Score: 4, Informative

    Well, the old RealAudio business model didn't work. Give away the client-side software and charge for the encoders... well, eventually people stopped buying the encoders because they realized that nobody could make money streaming content on the Internet for free.

    Rather than fold, Real adapted into a pay-for-content distributor. Not only did they provide the tech to stream content, but they provided the structure with which the content owners could charge for the right to hear the stream, and Real and content owners split the profits.

    But that basically makes them no better than a cable TV company, who is more interested in collecting the money than providing perfect service. Afterall, for most of the content Real is selling, it's take it or leave it offers... Real is the only place you can get certain major sports and news content.

    I guess the free streaming content of the 1999 era was too good to have lasted...

  5. Re:Are all RealPlayer versions affected? by radon28 · · Score: 4, Informative

    Troll, but I'll play along.

    From the second link, of all places:

    "Exploit 1" affects RealOne Player, RealOne Player v2 for Windows only (all languages), RealPlayer 10 Beta (English only) and RealOne Enterprise Desktop or RealPlayer Enterprise (all versions, standalone and as configured by the RealOne Desktop Manager or RealPlayer Enterprise Manager).

    "Exploit 2" affects RealOne Player, RealOne Player v2 (all language versions, all platforms), and RealOne Enterprise Desktop or RealPlayer Enterprise (all versions, standalone and as configured by the RealOne Desktop Manager or RealPlayer Enterprise Manager).

    "Exploit 3" affects RealOne Player and RealPlayer 8 (all language versions).