Slashdot Mirror

← Back to Stories (view on slashdot.org)

Three Vulnerabilities Discovered in Real Player

Posted by CowboyNeal on from the playing-for-a-fool dept.

prostoalex writes "British Next-Generation Security Software discovered three vulnerabilities in popular Real Player. A malicious attacker can execute arbitrary code by offering corrupted RealAudio stream. Real Networks posted the instructions on dealing with security flaws."

32 of 286 comments (clear)

  1. A new insult... by Lord_Slepnir · · Score: 4, Funny

    "Your band's so bad that their voices hack real player"

  2. I miss Progressive Networks... by LostCluster · · Score: 4, Interesting

    When the company was called Progressive Networks, they put out some of the most revolutionairy software on the Internet... software that could make decent sounding realtime talk radio streams with just 14.4kbps of modem bandwidth to work with. When 28.8kbps modems came out, they came up with a codec good enough for most FM radio stations...

    But, oh how the mighty have fallen. The RealNetworks of today stopped advancing their audio protocols long ago, and have sense been lapped by the field of other audio standards. Now, RealNetworks is more of a content company, selling "-Pass" products that create monthly fees to access streams that used to be free.

    So, I guess I'm not surprised that there's a "lazy programmer" style security flaw in their products today. They stoped being a tech innovator, and have slid over into the category of a content pusher. Oh well... another .com bites the dust.

    1. Re:I miss Progressive Networks... by wankledot · · Score: 5, Interesting
      Very well said.

      It's very sad for me to see what's happened to Real. I worked there for over a year recently, and I really wish they could turn things around move back to what they did well back in the day.

      They need to:
      1) fire the entire marketing team. They're horrible
      2) lose any of the quick-money things they do (ads, tricking people into paying for the Plus player or *pass accounts) and focus on rebuilding a quality user base.
      3) Throw away all the 325 million customer records they have, and stop the spam.
      4) Own up to the fact that most people hate them, and the only users that don't have a problem with Real are the ones that don't know them well enough yet. You can only burn so many users until they come back to burn you.

      The saddest thing is that the people who work there genuinely care. They are really talented, and they all know what they SHOULD be doing in order to succeed. Especially the people that work on the actual player. But things can't change until the word comes down from the top. Rob needs to have an epiphany and turn the ship around fast, otherwise they'll be selling what's left to Sony and AOL.

      --
      My sig is blank, I typed this by hand.
    2. Re:I miss Progressive Networks... by orthogonal · · Score: 4, Insightful

      So, I guess I'm not surprised that there's a "lazy programmer" style security flaw in their products today.

      Lazy programmer? Abashed, ashamed, depressed programmer is more like it.

      Real is so widely reviled -- by techies, hell, by anyone who has ever downloaded it -- that I'm sure a large number of Real's programers are dispirited, depressed, and resentful that management turned what had been a reputation for technical innovation into a reputation for deceptive marketing practices.

      Once a programmer has dragged his ass into Real in the morning only to be told for the tenth week in a row to forget codec improvements, it's time to hide another five opt-out click boxes on a drop-down list at the bottom of narrow scroll pane behind a button on the third page on a fifteen page tab dialog, it's no surprise that even if he does get to patch the codecs, he won't be doing anything near his best work.

      --
      Opinions on the Twiddler2 hand-held keyboard?
    3. Re:I miss Progressive Networks... by LostCluster · · Score: 4, Informative

      Well, the old RealAudio business model didn't work. Give away the client-side software and charge for the encoders... well, eventually people stopped buying the encoders because they realized that nobody could make money streaming content on the Internet for free.

      Rather than fold, Real adapted into a pay-for-content distributor. Not only did they provide the tech to stream content, but they provided the structure with which the content owners could charge for the right to hear the stream, and Real and content owners split the profits.

      But that basically makes them no better than a cable TV company, who is more interested in collecting the money than providing perfect service. Afterall, for most of the content Real is selling, it's take it or leave it offers... Real is the only place you can get certain major sports and news content.

      I guess the free streaming content of the 1999 era was too good to have lasted...

    4. Re:I miss Progressive Networks... by Bombcar · · Score: 4, Funny

      Today's Dilbert is strangely appropriate...

      Read

      --
      Fellowship 9/11
    5. Re:I miss Progressive Networks... by gnu-generation-one · · Score: 4, Insightful

      "I just don't get all you privacy freaks. Really, it doesn't take that much effort to lie to a few simple questions. Grow up"

      You lie to protect your privacy, yet verbally abuse those who take their own privacy seriously and dislike lying?

  3. Instructions by DarkHelmet · · Score: 5, Insightful
    Here are some nice instructions on how to deal with Real Player's security flaws:
    1. Click Start, go to Control Panel
    2. Click Add / Remove Programs
    3. Find the program entitled RealPlayer, and uninstall it
    4. Run Adaware to make sure any spyware they might have installed is no longer on your machine
    5. Convince people to Use better alternatives

    I still hate RealPlyaer. Any sort of file format that requires me to install the company's software to use I will eternally hate, regardless of who it is. I hate Real, and I hate Quicktime. I'd ask that they both die a slow miserable death, but I honestly want them both out of the way so that more open standards will take their place faster.

    --
    /^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
    1. Re:Instructions by MoonFog · · Score: 4, Interesting

      For some time RealPlayer was the only "free" plug-in to support SMIL. Fortunately, we now have Ambulant.

      There are still, like you mentioned, several places which offer .rm formats to view their contents. Annoying, but then again, it appears only Quicktime and WMV are the alternatives.

    2. Re:Instructions by Anonymous Coward · · Score: 5, Funny

      RealPlayer is a program you use when you half to.

      I wouldn't even use it if I third to.

  4. The fine print by Anonymous Coward · · Score: 4, Interesting

    "we cannot guarantee and do not warrant that the operation of any RealNetworks product will be error-free, uninterrupted or secure."

    Thanks, I needed that.

  5. So the exploit would go something like... by Spazholio · · Score: 5, Funny

    "LOLOLOLO!!!!11 j00 h4v3 b33n HAC....buffering.....buffering....buffering...."

    1. Re:So the exploit would go something like... by wik · · Score: 5, Funny

      .... it's a new form of buffer underflow attack.

      --
      / \
      \ / ASCII ribbon campaign for peace
      x
      / \
  6. Shades of MS? by Ignorant+Aardvark · · Score: 5, Funny

    From the Real Player Knowledge Base:

    To prevent maliciously formatted video streams from providing a backdoor into your system, type the video stream by hand and verify that it contains no malicious code.

    --
    Cyde Weys Musings - Scrutinizing the inscrutable
  7. I love the disclaimer... by HermesHuang · · Score: 5, Insightful
    Warranty: While RealNetworks endeavors to provide you with the highest quality products and services, we cannot guarantee and do not warrant that the operation of any RealNetworks product will be error-free, uninterrupted or secure. See your original license agreement for details of our limited warranty or warranty disclaimer.
    Essentially, we don't guarantee our product works, but you should still pay us for it. Seems to be the philosophy of many software companies...
  8. Yet another reason to not use it, and use this... by saskboy · · Score: 4, Interesting

    Real Alternative in Media Player Classic. The version I use on XP has some flaws, but it is better than nothing, and I hope doesn't have the same flaws as the REAL Real Player?

    --
    Saskboy's blog is good. 9 out of 10 dentists agree.
  9. List of vuln [buffering] by QEDog · · Score: 4, Funny

    The specific [buffering] were:
    Exploit 1: To operate remote [buffering] from the domain of the [buffering] opened by a [buffering] file or other file.
    Exploit 2: To fashion [buffering] which allow an attacker to on a user's [buffering]
    Exploit 3: To fashion [buffering] create Buffer Overrun errors.

    --
    "There is no teacher but the enemy."-Mazer Rackham
  10. Type THAT! by LostCluster · · Score: 4, Funny

    From the Real Player Knowledge Base:

    To prevent maliciously formatted video streams from providing a backdoor into your system, type the video stream by hand and verify that it contains no malicious code.

    Anybody out there who can type at 128 kbps?

    1. Re:Type THAT! by McGarnacle · · Score: 5, Funny

      Anybody out there who can type at 128 kbps?

      Yes, but not without a good deal of ...buffering... going on.

      Everytime a Real story shows up on slashdot, I'm tempted to post this. Looks like I couldn't resist!
      --

      I disagree with what you say, but will defend to the death your right to tell such LIES!

  11. I never noticed any corruption in the stream by morelife · · Score: 4, Funny

    I still haven't gotten past configuring my message center options in Real Player. Boxes keep popping up. I've bought the full version three times now. What's wrong?

  12. Conspiracy by Anonymous Coward · · Score: 4, Interesting

    here's an idea.

    say you have just written a nice little piece of "value-adding" code, say you work at Real, say your boss likes it and would like for every Real customer to have it.

    Both of you would know that a person like me keeps Real Player on my computer only for those "must have real" moments and want nothing further to do with Real.

    Well, well, well, how can they get me to "upgrade" to their new "spyware" (tin foil here)? That's right - hire a 3rd party to "find" very, very nasty bugs...then claim to have THE SOLUTION!!!! Get the NEW version....with the crapware!!!
    br.horyryaryyaryaryyy!!!

  13. The thing is... by teamhasnoi · · Score: 5, Funny
    in order to execute the exploits, you first have to click on thirty-seven checkboxes hidden in a Tibetian monestary.

    Then you must send 34 seconds of a certain portion of the movie 'Deliverance' over a period of 22 minutes.

    These two things must be accomplished while repeatedly hitting 'alt-f4' on your keyboard, and screaming, "Damn you Real Player! Damn you to Hell!' like a woman.

    Of course, if you reboot you'll have to start all over again, after a slight delay.

    Um, a longer delay.

    Ok, you get one shot at this, I guess. At least the exploit is consistent with their user interface.

  14. Re:Affects real player alternative too? by LostCluster · · Score: 4, Informative

    An ActiveX wrapper in its base defintion offers no protection from this kind of flaw... in simplistic terms, ActiveX is a standard by which a controling program links up to other pre-programed objects which exist either inside a .dll file, or posibly even inside a free-standing .exe file that could possibly be run on its own... if the underlying object contains a flaw, then every other program that refers to that object will end up inheriting that flaw in the same situations, it'll be the same code making that same mistake actually running.

    However, since Real Alternative is a reverse-engineered program, it's highly doubtful that they failed to check the same buffer that Real failed to check, so it's unlikely they have the same flaw in their code. If the Alternative has the same bug, then it starts to be likely they stole the code... let's hope we don't have to go there.

  15. Not on OS X? by ce25254 · · Score: 5, Informative

    It appears from the press release on RealNetworks' site that the vulnerability does not affect the Mac OS X version.

    Hm, once again, nothing to worry about.

  16. What about Real Alternative? by e40 · · Score: 4, Informative

    I would imagine that it is not affected... perhaps this is a good time to plug it. Get it from here. Just Media Player Classic is also available.

  17. Re:Are all RealPlayer versions affected? by radon28 · · Score: 4, Informative

    Troll, but I'll play along.

    From the second link, of all places:

    "Exploit 1" affects RealOne Player, RealOne Player v2 for Windows only (all languages), RealPlayer 10 Beta (English only) and RealOne Enterprise Desktop or RealPlayer Enterprise (all versions, standalone and as configured by the RealOne Desktop Manager or RealPlayer Enterprise Manager).

    "Exploit 2" affects RealOne Player, RealOne Player v2 (all language versions, all platforms), and RealOne Enterprise Desktop or RealPlayer Enterprise (all versions, standalone and as configured by the RealOne Desktop Manager or RealPlayer Enterprise Manager).

    "Exploit 3" affects RealOne Player and RealPlayer 8 (all language versions).

  18. This one is too easy. by Montreal+Geek · · Score: 4, Funny
    Be definition if you have any software from RealNetworks on your box, then a malicious attacker is running arbitary code.

    Spyware, adware, "helpful" browser adjuncts.

    Oh, wait, you mean another malicious attacker!

    -- MG

  19. Buffering... by arvindn · · Score: 4, Funny

    Its ironic that one of the vulnerabilities is a buffer overflow.

  20. The Three Vulnerabilities are.... by Viking5150 · · Score: 4, Funny

    buffering.......buffering.......buffering......

  21. Your Alternative is ... by Poligraf · · Score: 4, Interesting

    ... Microsoft Monopoly.

    The thing is that Real does not have a source of income. Thus, they need to squeeze pennies out of every possible opportunities often not playing nicely (I mean charging for crap, ads and SPAM).

    At the same time, every format owner is trying to make his one a default. Not supporting Real means that their "commercial" format will die causing all contents providers switch to .WMV that looks like "the default choice" for many.

    It is the repetition of the browser wars.

    BTW, I avoid most of their crap by using older version (revision 6.0.6) of the RealPlayer.

    --
    Tigers respect lions, elephants and hippos. Maggots respect no one. (C) S. Dovlatov
  22. "upgrade to the latest" strategy, no real patching by MMHere · · Score: 5, Insightful

    Real's approach has always been to have their latest & "greatest" software running on your PC. ("greatest" software is less well tested).

    So I run RealPlayer8 Basic when I need to. Their fix is to have me replace it with RealPlayer10 Gold? I don't wanna.

    I also don't like having to upgrade to a newer set of local softwares simply because the "file format" has changed. There aren't that many advances in formats/compression over time, and it seems to me that: new formats are released more frequently than necessary, thus "requiring upgrades" to new readers of said formats.

    (A) Patch the buggy apps you still support; don't make us install new (less well tested) software so often;

    (B) Don't tie the desire to distribute your latest code to [often] unnecessary media format changes.

    "I Sam thee to Dayton! (It's worse than Cleveland.)"

  23. Helix? by loconet · · Score: 4, Interesting

    Hey question for you guys, I've seen a lot of negative comments about Real, most of which are understandable as I myself until recently refused to install their bloated software.

    Anyone familiar with the Helix project (www.helixcommunity.org)?

    From the website:


    The Helix community is a collaborative effort among Real, independent developers, and leading companies to extend the Helix DNA(TM) platform, the first open multi-format platform for digital media creation, delivery and playback. The Helix DNA platform is comprised of the following:

    * Helix DNA Client
    * Helix DNA Producer
    * Helix DNA Server
    * RealAudio and RealVideo codecs

    I'm not too familiar with it but is it a step in the right direction for a company that once used to be on the cutting edge of digital media and now is trying to get back in the game? Or is it just another one of their corporate blood sucking tacticts? What are your thoughts?

    --
    [alk]