Slashdot Mirror

← Back to Stories (view on slashdot.org)

Three Vulnerabilities Discovered in Real Player

Posted by CowboyNeal on from the playing-for-a-fool dept.

prostoalex writes "British Next-Generation Security Software discovered three vulnerabilities in popular Real Player. A malicious attacker can execute arbitrary code by offering corrupted RealAudio stream. Real Networks posted the instructions on dealing with security flaws."

17 of 286 comments (clear)

  1. I miss Progressive Networks... by LostCluster · · Score: 4, Interesting

    When the company was called Progressive Networks, they put out some of the most revolutionairy software on the Internet... software that could make decent sounding realtime talk radio streams with just 14.4kbps of modem bandwidth to work with. When 28.8kbps modems came out, they came up with a codec good enough for most FM radio stations...

    But, oh how the mighty have fallen. The RealNetworks of today stopped advancing their audio protocols long ago, and have sense been lapped by the field of other audio standards. Now, RealNetworks is more of a content company, selling "-Pass" products that create monthly fees to access streams that used to be free.

    So, I guess I'm not surprised that there's a "lazy programmer" style security flaw in their products today. They stoped being a tech innovator, and have slid over into the category of a content pusher. Oh well... another .com bites the dust.

    1. Re:I miss Progressive Networks... by wankledot · · Score: 5, Interesting
      Very well said.

      It's very sad for me to see what's happened to Real. I worked there for over a year recently, and I really wish they could turn things around move back to what they did well back in the day.

      They need to:
      1) fire the entire marketing team. They're horrible
      2) lose any of the quick-money things they do (ads, tricking people into paying for the Plus player or *pass accounts) and focus on rebuilding a quality user base.
      3) Throw away all the 325 million customer records they have, and stop the spam.
      4) Own up to the fact that most people hate them, and the only users that don't have a problem with Real are the ones that don't know them well enough yet. You can only burn so many users until they come back to burn you.

      The saddest thing is that the people who work there genuinely care. They are really talented, and they all know what they SHOULD be doing in order to succeed. Especially the people that work on the actual player. But things can't change until the word comes down from the top. Rob needs to have an epiphany and turn the ship around fast, otherwise they'll be selling what's left to Sony and AOL.

      --
      My sig is blank, I typed this by hand.
    2. Re:I miss Progressive Networks... by pla · · Score: 3, Interesting

      it's time to hide another five opt-out click boxes on a drop-down list at the bottom of narrow scroll pane behind a button on the third page on a fifteen page tab dialog

      Yeah? What do most of us care? They can probe and prod me to their hearts' content - I'll provide as much fake data as they want to ask me for.

      And if they eventually adopt some form of email verification (like mailing a registration key, or the like), well, I can provide as much fake information as Yahoo asks for, as well. Minor inconvenience, but, we all have to do our part to keep the economy flowing smoothly.


      I just don't get all you privacy freaks. Really, it doesn't take that much effort to lie to a few simple questions. Grow up.

  2. The fine print by Anonymous Coward · · Score: 4, Interesting

    "we cannot guarantee and do not warrant that the operation of any RealNetworks product will be error-free, uninterrupted or secure."

    Thanks, I needed that.

  3. Are all RealPlayer versions affected? by Debian+Troll's+Best · · Score: 3, Interesting

    Often these types of vulnerabilities only affect one platform (and usually Windows), but does anyone know which platforms are affected by this new exploit? Mac OS X and Linux too? Does it make any difference if I used apt-get to install the RealPlayer binary instead of the Real packaged one? I'm in the middle of sealing off RealPlatyer ports on all our organization's firewalls at the moment, but a lot of them are running OpenBSD and we're having trouble keeping them up long enough to edit the firewall config files.

    1. Re:Are all RealPlayer versions affected? by andy55 · · Score: 2, Interesting

      Based on the info available, it's a "lazy programmer" flaw (to borrow a previous poster's words). This is to say that a buf overflow (or something of the like) happens such that you can place an arbitrary sequence of bytes on the stack. When those bytes are executed, however, they'd of course have to be native instructions for the given CPU, meaning that the attacker would have had to create he executable sequence for a specific platform.

      So, in nature, the flaws like these are cross-platform (ie, Mac OS X would be vulnerable), but at the end of the day it's super super unlikely to see someone exploit this flaw on a platform other than windows (on an x86). Otherwise, it would require a guy to be malicious, motivated, have a lot of time on his hands, *and* know the ppc instruction set and mac os x runtime architecture like the back of his hand.

      --
      G-Force music visualization
  4. Yet another reason to not use it, and use this... by saskboy · · Score: 4, Interesting

    Real Alternative in Media Player Classic. The version I use on XP has some flaws, but it is better than nothing, and I hope doesn't have the same flaws as the REAL Real Player?

    --
    Saskboy's blog is good. 9 out of 10 dentists agree.
  5. Re:Instructions by LostCluster · · Score: 2, Interesting

    Right now, RealPlayer is a program you use when you half to. For open standards, there's a better program out there, but there is a lot of content out there that is only available if you pay for it through RealNetworks, and then you can only watch it if you use one of Real's products.

    If you want to get the web access to major sports or news content that used to be free, you need Real's products and have no way around it...

  6. Affects real player alternative too? by rritterson · · Score: 2, Interesting

    I'm not a programmer, so I have a question for those of you who are.

    Would these same sorts of vulner's apply to Real Alternative too, or does the active X wrapper prevent the hack?

    --
    -Ryan
    AUWYHSTOT (Acronyms are Useless When You Have to Spell Them Out Too)
  7. Conspiracy by Anonymous Coward · · Score: 4, Interesting

    here's an idea.

    say you have just written a nice little piece of "value-adding" code, say you work at Real, say your boss likes it and would like for every Real customer to have it.

    Both of you would know that a person like me keeps Real Player on my computer only for those "must have real" moments and want nothing further to do with Real.

    Well, well, well, how can they get me to "upgrade" to their new "spyware" (tin foil here)? That's right - hire a 3rd party to "find" very, very nasty bugs...then claim to have THE SOLUTION!!!! Get the NEW version....with the crapware!!!
    br.horyryaryyaryaryyy!!!

  8. Re:Instructions by MoonFog · · Score: 4, Interesting

    For some time RealPlayer was the only "free" plug-in to support SMIL. Fortunately, we now have Ambulant.

    There are still, like you mentioned, several places which offer .rm formats to view their contents. Annoying, but then again, it appears only Quicktime and WMV are the alternatives.

  9. Re:Instructions by Kris_J · · Score: 2, Interesting

    All streaming media companies have been spoilt by broadband -- thusly, in areas with poor broadband take-up rates streaming media is all but abandoned.

  10. Re:Instructions by CoolMoDee · · Score: 2, Interesting

    We have three "standards" out there. Real, WMV, and Quicktime. The first one sucks like you said because of the software, but they support* odd platforms (Linux/PPC/Alpha). The second is very closed like the first, but is that of a convicted monopoly, and is generally full of drm, and only supports Windows/Mac. The third is mpeg-4 based (an open standard), "requires" their software on Windows, but shold be playable in MPlayer, it also works very well on non-supported platforms (linux). If Quicktime died, then we would be left with Spyware or DRM, neither of which sound like much fun. It would be cool if people would use shoutcast or icecast, but chances are that won't happen because lack of support

    --
    Jisho - A Japanese English German Russian French Dictionary for the rest of us.
  11. Re:I never noticed any corruption in the stream by LostCluster · · Score: 2, Interesting

    Nope. Those of us who bought the red box with a screaming man on the cover back in the late 90s paid $30 or so for it... and got RealAudio Plus 3.0. However, when the 4 version of RealAudio came out, most of the "Plus" features we had paid for got moved into the new free version, and a new set of "Plus" features would be ours if we paid again. Real had a rinse, wash, repeat routine going with that...

    Now, if you want the present "Plus" feature set, you have to subscribe to GoldPass and pay for it every month...

  12. Your Alternative is ... by Poligraf · · Score: 4, Interesting

    ... Microsoft Monopoly.

    The thing is that Real does not have a source of income. Thus, they need to squeeze pennies out of every possible opportunities often not playing nicely (I mean charging for crap, ads and SPAM).

    At the same time, every format owner is trying to make his one a default. Not supporting Real means that their "commercial" format will die causing all contents providers switch to .WMV that looks like "the default choice" for many.

    It is the repetition of the browser wars.

    BTW, I avoid most of their crap by using older version (revision 6.0.6) of the RealPlayer.

    --
    Tigers respect lions, elephants and hippos. Maggots respect no one. (C) S. Dovlatov
  13. Helix? by loconet · · Score: 4, Interesting

    Hey question for you guys, I've seen a lot of negative comments about Real, most of which are understandable as I myself until recently refused to install their bloated software.

    Anyone familiar with the Helix project (www.helixcommunity.org)?

    From the website:


    The Helix community is a collaborative effort among Real, independent developers, and leading companies to extend the Helix DNA(TM) platform, the first open multi-format platform for digital media creation, delivery and playback. The Helix DNA platform is comprised of the following:

    * Helix DNA Client
    * Helix DNA Producer
    * Helix DNA Server
    * RealAudio and RealVideo codecs

    I'm not too familiar with it but is it a step in the right direction for a company that once used to be on the cutting edge of digital media and now is trying to get back in the game? Or is it just another one of their corporate blood sucking tacticts? What are your thoughts?

    --
    [alk]
  14. can't find the free player? neither can "car talk" by aderusha · · Score: 3, Interesting
    from http://cartalk.com/Radio/windowsmedia-switch.html:

    Car Talk will now be available via the Windows Media Player, rather than RealMedia. That's right, we're unceremoniously dumping RealMedia.

    Why? Because, for a long time, we've had tons of complaints about RealNetworks. And the one that ticks us off the most is the perceived trickery they use to sell their premium products. This is just our opinion, mind you, but it's shared by enough of our listeners, that we finally decided to take action.

    Here's the problem. In order to hear our audio, you have to go to Real.com and download their "free" RealPlayer. But when you get to the web site, the free player is harder to find than Osama Bin Laden at night. And the site seems to do everything it possibly can to get you to "buy" a player instead. You have to work very hard to get the free player. And we think that stinks. And get this. It stinks so much that it even makes Microsoft look good by comparison. That's something, huh?

    We've heard from many of our fans that have been duped, and who have accidentally shelled out their hard-earned dineros. And we won't even get into the ways that the RealPlayer tries to take over your computer once you install it. So, after surveying the alternatives, we're switching to Windows Media Player (which works on Macs, too).

    For those of you who don't yet have the Windows Media Player installed, you can get it for Windows--for free--at:
    http://www.microsoft.com/windows/window smedia/9ser ies/player.aspx

    And for Mac--for free--at:
    http://www.microsoft.com/windows/window smedia/soft ware/Macintosh/osx/default.aspx for OS X or
    http://www.microsoft.com/windows/windowsmedia/ down load/mac71.aspx for OS 8.1 and up

    Listening to Car Talk is painful enough by itself. You don't need more angst. If you'd rather take Car Talk with you, you can also download the show anytime by clicking on the Audible link at:
    http://www.cartalk.com/Radio/Show/ (Cheapskate alert: fee *definitely* involved.)


    when major broadcasters are dumping real's products due to their "betcha can't find the free version" antics, maybe real would wisen up and actually make good on their "free" players.

    not that i care - real alternative and media player classic take care of my windows-based media viewing just fine, minus all the spyware and other crap.