RealPlayer Zero-Day Flaw Under Attack

openOption writes "ZDNet is reporting that hackers are actively exploiting a zero-day hole in RealNetworks' RealPlayer media player, a software program installed on tens of millions of Windows computers worldwide. The in-the-wild attacks targets a previously unknown and unpatched ActiveX vulnerability in the way RealPlayer interacts with Microsoft's Internet Explorer browser. The flaw is causing drive-by malware downloads when an IE user simply browsers to a maliciously rigged Web page."

Installed by millions...

[by Anonymous Coward]

Used by no one... until now.

I suppose, it's a buffering ...

[by Anonymous Coward]

overflow exploit, right?

Re:

[Sillygates (967271)]

This wouldn't be a problem if companies like Dell(?) didn't preinstall RealPlayer on computers.

Re:

[Zymergy (803632)]

That is why we have the PC Decrapifier: http://www.pcdecrapifier.com/ [pcdecrapifier.com]

Re:Installed by millions...

[VagaStorm (691999)]

From Wikipedia:

A zero-day (or zero-hour) attack is a computer threat that exposes undisclosed or unpatched computer application vulnerabilities. Zero-day attacks take advantage of computer security holes for which no solution is currently available.

Good thing I don't use Real

[by Anonymous Coward]

Greased up Yoda doll
Puckered anus
GO LINUX!

SOFTWARE PROGRAM!!!11111```oneone

[by Anonymous Coward]

a software program

I like software programs. They run well on my computer PC and look nice on my display monitor. My computer PC works well, all the way from the electric power cable to the Ethernet network card, the hard disk hard drive, and my wireless keyboard keyboard and mouse mouse.

(What are synonyms for keyboard and mouse?)

Re:

[Penguinshit (591885)]

HID

Oh, relax....

[Foerstner (931398)]

You seem to be inexplicably tense. Perhaps you should relax for a while and watch a television program.

Or go to the theater, and watch a play. If you have any trouble understanding it, you might find more in the program they give you. Hold on to it, they're collectible.

Whatever you do, though, don't rely on alcohol to relieve your anxiety. If you become dependant on it, you may need a twelve-step program to get yourself back on track.

Re:

[Oktober Sunset (838224)]

All those use of 'program' are incorrect, they should all have been 'programme'.

You fail at both language and making a point.

Re:

[Antique Geekmeister (740220)]

No, he failed at being British. In the US, it's spelled "program".

Re:

[Curmudgeonlyoldbloke (850482)]

a software program

As opposed to a hardware program used by something like a Jacquard loom, presumably....

Re:

[jcuervo (715139)]

"Alphanumeric keyboard" and "computer mouse"?

Whew!

[dedazo (737510)]

God, I'm so glad I bought a computer with Windows XPN, which thanks to the wisdom of the European Union and RealNetworks' claims of unfair competition against their cuasi-malware player, does not include Windows Media Player! Yes, instead the OEM installed... oh, wait. They installed RealPlayer. Holy sh #$!@&*^} NO CARRIER

Hackers are the least of their troubles...

[Ecuador (740021)]

I don't want to be a troll, but people who install Real Player are asking for trouble.
Wow, I just had a scary thought I managed to block just in time before passing out: Real Player. On Vista.

Re:Hackers are the least of their troubles...

[Dishevel (1105119)]

I love Real Player. Its icon is pretty and when I click on some things on the internet it works sometimes for me. If it dose not work I just figure that the people putting that bad stuff on the internet must not know what a wonderful company Microsoft is for people like me. Now if you will excuse me I need to click on something real fast so AOL doe not disconnect me again. All I need is MS programs that I can use while online with AOL with my wonderful CABLE COMPANY connection to the internet.

Re:

[Jugalator (259273)]

For some reason, it can still be popular on various news sites and so on, so yes, people hence use it. I guess Real simply give them some irresistible deals, because surely they aren't stupid enough to willingly use that format? I can admit that the most modern Real formats are pretty good, but the standalone player and all that isn't.

Re:Hackers are the least of their troubles...

[Angostura (703910)]

I can't speak about the windows version, but the OS X implementation of the free player is actually very nice to use indeed: fast and lightweight. It's the format I choose for listening to and watching BBC streaming feeds.

Re:

[Buran (150348)]

Good luck installing the file manager. Yeah, that'll get you real far. It'd be like yanking the Finder out of my Mac (which has not and never will have a problem with this flaw...)

Re:Hackers are the least of their troubles...

[egypt_jimbob (889197)]

Seems simple, just assign the browser ring 3 security. Oh wait, its Windows (and the user is Administrator with no password).

A spammer can still send spam from ring 3. A botnet herder can still run a bot from ring 3. A phisher can still change proxy settings from ring 3.
Ring 0 only adds stealth to attacks that work just fine from ring 3.

Not in Vista

[El Lobo (994537)]

The vulnerability doesn't affect IE in protected (sandboxed, default) mode on Vista, of course.

WARNING MS SHILL

[by Anonymous Coward]

Nobody uses Vista because Vista's not compatible with Windows.

Re:Not in Vista (Permit Deny Allow)

[WillAffleckUW (858324)]

Would you like to permit this song to be played?

How about this song?

How about this one?

(repeat 50 times)

(user unchecks security check)

Re:

[suv4x4 (956391)]

I've no particular reason to reply here, but check the other replies.

They're actually insulting, ranting, cussing, since you mentioned Vista isn't vulnerable. Makes me sad of Slashdot, you know?

Experts Quickly Noted However....

[rel4x (783238)]

...that the viruses using this attack were still easier to uninstall than RealPlayer itself.

Re:Experts Quickly Noted However....

[Fx.Dr (915071)]

Upon attempting to exploit the flaw, the virus was promptly greeted with ...BUFFERING... ...BUFFERING...

It's worst then that

[Liquidrage (640463)]

The malware that gets installed is, itself, Real Player.

Affected computers are stuck in a feedback loop where Real Player installs itself over and over again.
The space-time continuum is breaking down as we speak.

Video press release

[operagost (62405)]

Real has posted a video press release on this. I would like to tell you more, but it's still buffering. Maybe they should use Media Player for their press releases.

I wouldn't worry...

[Deacon_Yermouf (900678)]

It's going to take a while for the virus to stop buffering....

Real Alternative

[gravis777 (123605)]

http://www.free-codecs.com/download/Real_Alternative.htm [free-codecs.com]

Now I just have to worry about unpatched holes in Windows Media Player!

Truthfully, I already have one bloated Media Player that is part of the OS on my machine, why would I want to install another?

BTW:
http://www.free-codecs.com/download/QuickTime_Alternative.htm [free-codecs.com]
To take care of that OTHER bloated media player

Re:

[junglee_iitk (651040)]

According to Karl Lillevold [doom9.org], a (lead) programmer for Real Player, Real Alternative is nothing but rebundled DLLs from Real Player in a wrapper for support other players. Thus, it is still exploitable.

Brought to you by a linux-user, Real(TM)-hater/uninstaller. I uninstall it on every computer I encounter :)

Re:

[antdude (79039)]

But, how do we know if RA's codecs aren't vulnerable? It has ActiveX plugin too.

Re:Real Alternative

[suv4x4 (956391)]

http://www.free-codecs.com/download/Real_Alternative.htm [free-codecs.com]
Now I just have to worry about unpatched holes in Windows Media Player!

Actually "Real Alternative" and "QuickTime Alternative" uses ripped off binary libraries straight off the official apps. It's quite likely you're vulnerable as well.

Re:

[DogDude (805747)]

Have you ever considered doing something as exotic as uninstalling WMP?

Re:

[Rob Simpson (533360)]

Not the codec, but yeah, it would probably be in "RealMedia ActiveX control 6.0.12.1741 allows you to view RealMedia content that is embedded in a webpage. The RealMedia ActiveX control supports Internet Explorer." [edskes.net] Choosing not to install this component would solve the problem, though.

Get with it

[Skiron (735617)]

New marketing name -> RealTrojans (or viruses/worms, whatever). Sales are UP!

Worried? Nah

[jdjbuffalo (318589)]

All 5 people who still have Real Player installed are in for a world of hurt...

browser, -noun, a person or thing that browses

[piratesyarr (1117287)]

The flaw is causing drive-by malware downloads when an IE user simply browsers to a maliciously rigged Web page.

I like the use of the word browser as a verb.
Also, drive-by malware downloads? This hood is no longer safe, yo!

Re:

[raehl (609729)]

Besides, isn't a drive-by more of an upload?

"Browsers to a maliciously rigged Web page"

[rho (6063)]

Please, no more stupid verbs-nee-nouns.

"Blog" should have been smothered in the crib, let's not loose another monster.

just a typo.

[Skadet (528657)]

I think they meant to write "browses". Could have been a typo (the E and R are right next to each other), could have been a brain fart linked to muscle memory, but I really doubt someone's trying to introduce "browsers" as a verb.

Re:

[Actually, I do RTFA (1058596)]

Come on, I love verbing words.

Re:

[geekoid (135745)]

So you want to crib it?

I may go home a crib.

Smell you later.

real player still part of google pack (beta)?

[sillyphisher1 (1100841)]

Last time I saw real player was when I installed google pack on a windows machine years ago. I love picasa and google earth, and at the time a few of the other packages seemed like nice things to get all in 1 install. Real player was the deal killer- I never could figure out what good it was. It seems like it spent more of my time and CPU cycles trying to sell me on an upgrade than doing anything useful. What was/is google thinking on that one?

Re:

[Bryansix (761547)]

Ug, Picasa sucks. I still can't figure out what it really DOES. When I installed it I couldn't get it to do a single thing.

MIT open courseware & Realplayer

[Ethanol-fueled (1125189)]

The evil Realplayer is still required for some MIT open courseware. They should convert those files ASAP.

Re:

[cnettel (836611)]

And what about Netscape plugins? This is not "download ActiveX controls on demand" which was chastised and basically isn't around anymore. This is the fact that some apps on your machine say "hey, I know how to handle some data on the net, just load this dynamic library of mine and hand it the data, and I'll render it neatly in the browser".

Re:

[cheater512 (783349)]

With ActiveX anyone can make something automatically execute.

With Firefox's plugin search there is a predefined list.

Re:

[by Anonymous Coward]

This vulnerability has nothing to do with ActiveX. ActiveX is just one method of hosting a plugin. Any method of hosting a plugin would be exactly as vulnerable. Anytime a browser accepts data from an outside source and passes it onto a library to handle that is a possible point of attack. There have been plenty of vulnerabilities found in non-ActiveX plugins for Internet Explorer and other browsers. There have been vulnerabilities found in the very libraries used by the browsers to display common cont

Re:

[Antique Geekmeister (740220)]

Apparently, the BBC's Iplayer project just announced that they'll also be providing content in Real, because a stack of Linux, Mac, and other software users got extremely upset their content could only be viewed with Windows Media Player. So, it's true that Real is around and will be around for a while, namely to provide an alternative to Windows Media Player.

Now, if they'd just give up on calling files tagged as .rpm as Real files, and save them as software packages and save me having to use the "save as"