Three Vulnerabilities Discovered in Real Player 286
prostoalex writes "British Next-Generation Security Software discovered three vulnerabilities in popular Real Player. A malicious attacker can execute arbitrary code by offering corrupted RealAudio stream. Real Networks posted the instructions on dealing with security flaws."
A new insult... (Score:5, Funny)
Re:A new insult... (Score:4, Funny)
Re:A new insult... (Score:2)
Bah. Make him come up with his own put-downs, I say. After all, he can afford to do the research...
-MT.
Re:A new insult... (Score:4, Funny)
Simon can (and does) come up with his own insults. Send it to Paula Abdul.
Re:Another one...;) (Score:2)
I miss Progressive Networks... (Score:5, Interesting)
But, oh how the mighty have fallen. The RealNetworks of today stopped advancing their audio protocols long ago, and have sense been lapped by the field of other audio standards. Now, RealNetworks is more of a content company, selling "-Pass" products that create monthly fees to access streams that used to be free.
So, I guess I'm not surprised that there's a "lazy programmer" style security flaw in their products today. They stoped being a tech innovator, and have slid over into the category of a content pusher. Oh well... another
Re:I miss Progressive Networks... (Score:5, Interesting)
It's very sad for me to see what's happened to Real. I worked there for over a year recently, and I really wish they could turn things around move back to what they did well back in the day.
They need to:
1) fire the entire marketing team. They're horrible
2) lose any of the quick-money things they do (ads, tricking people into paying for the Plus player or *pass accounts) and focus on rebuilding a quality user base.
3) Throw away all the 325 million customer records they have, and stop the spam.
4) Own up to the fact that most people hate them, and the only users that don't have a problem with Real are the ones that don't know them well enough yet. You can only burn so many users until they come back to burn you.
The saddest thing is that the people who work there genuinely care. They are really talented, and they all know what they SHOULD be doing in order to succeed. Especially the people that work on the actual player. But things can't change until the word comes down from the top. Rob needs to have an epiphany and turn the ship around fast, otherwise they'll be selling what's left to Sony and AOL.
Re:I miss Progressive Networks... (Score:5, Informative)
Rather than fold, Real adapted into a pay-for-content distributor. Not only did they provide the tech to stream content, but they provided the structure with which the content owners could charge for the right to hear the stream, and Real and content owners split the profits.
But that basically makes them no better than a cable TV company, who is more interested in collecting the money than providing perfect service. Afterall, for most of the content Real is selling, it's take it or leave it offers... Real is the only place you can get certain major sports and news content.
I guess the free streaming content of the 1999 era was too good to have lasted...
Re:I miss Progressive Networks... (Score:5, Funny)
Read [comics.com]
Re:Right about the Spam (Score:2)
Re:I miss Progressive Networks... (Score:5, Insightful)
Lazy programmer? Abashed, ashamed, depressed programmer is more like it.
Real is so widely reviled -- by techies, hell, by anyone who has ever downloaded it -- that I'm sure a large number of Real's programers are dispirited, depressed, and resentful that management turned what had been a reputation for technical innovation into a reputation for deceptive marketing practices.
Once a programmer has dragged his ass into Real in the morning only to be told for the tenth week in a row to forget codec improvements, it's time to hide another five opt-out click boxes on a drop-down list at the bottom of narrow scroll pane behind a button on the third page on a fifteen page tab dialog, it's no surprise that even if he does get to patch the codecs, he won't be doing anything near his best work.
Re:I miss Progressive Networks... (Score:4, Interesting)
Yeah? What do most of us care? They can probe and prod me to their hearts' content - I'll provide as much fake data as they want to ask me for.
And if they eventually adopt some form of email verification (like mailing a registration key, or the like), well, I can provide as much fake information as Yahoo asks for, as well. Minor inconvenience, but, we all have to do our part to keep the economy flowing smoothly.
I just don't get all you privacy freaks. Really, it doesn't take that much effort to lie to a few simple questions. Grow up.
Re:I miss Progressive Networks... (Score:5, Insightful)
You lie to protect your privacy, yet verbally abuse those who take their own privacy seriously and dislike lying?
Re:I miss Progressive Networks... (Score:2)
Seriously, it doesn't seem to be a major privacy issue, just the annoyance of being continually marketed to for something you know you don't want to buy. And I'll confess, I actually bought the commercial version of their current player. But even after you pay them, they come back for more; there's always some damned popup in the system tray telling you that you want
Re:I miss Progressive Networks... (Score:2)
> I can provide as much fake information as Yahoo asks for, as well.
Instead of abusing free services, why not use some free throw-away [spamgourmet.com] e-mail addresses. It's precisely what the service was designed for, and it's free, easy to use, and works well.
GSM much better than any Real codec for speech (Score:2, Informative)
libgsm1 [debian.org]
This compresses talk stream down to 1.6kB/s (or 13kbits). From their readme file:
Isn't this much better than some close-source codec? Real probably uses GSM for that 14kbps
Re:I miss Progressive Networks... (Score:2)
Fix your buffer overflows here:
Better String Library [sf.net]
Its guaranteed to plug all your buffer overflows or your money back! Using Bstrlib will make your code shiny and clean! Its brightens your whitespace, and is syntax coloring safe! Yo Quiero Bstrlib! Faster than a speeding bullet! Better than a superbowl halftime show! Free Limited time offer!
(To opt out of this list click here [pobox.com])
Instructions (Score:5, Insightful)
I still hate RealPlyaer. Any sort of file format that requires me to install the company's software to use I will eternally hate, regardless of who it is. I hate Real, and I hate Quicktime. I'd ask that they both die a slow miserable death, but I honestly want them both out of the way so that more open standards will take their place faster.
Re:Instructions (Score:3, Interesting)
If you want to get the web access to major sports or news content that used to be free, you need Real's products and have no way around it...
Re:Instructions (Score:5, Interesting)
There are still, like you mentioned, several places which offer
Re:Instructions (Score:5, Funny)
I wouldn't even use it if I third to.
Re:Instructions (Score:2)
I wouldn't even use it if I third to.
And it shall get no quarter from me!
Re:Instructions (Score:2)
Acceptable: use when you have to.
Better: use when forced. (Dangling participle and all)
Re:Instructions (Score:2)
Do you know what dyslexia is? Using "half" instead of "have" isn't it. That's better described as "illiteracy". It is, however, an excusable error for a non-native speaker of english, since the two words veer confusingly close to one another in casual spoken usage. I don't know if the original poster learned english as a second language, but I certainly hope so.
Your Alternative is ... (Score:5, Interesting)
The thing is that Real does not have a source of income. Thus, they need to squeeze pennies out of every possible opportunities often not playing nicely (I mean charging for crap, ads and SPAM).
At the same time, every format owner is trying to make his one a default. Not supporting Real means that their "commercial" format will die causing all contents providers switch to
It is the repetition of the browser wars.
BTW, I avoid most of their crap by using older version (revision 6.0.6) of the RealPlayer.
Re:Instructions (Score:3, Interesting)
Re:Instructions (Score:2)
I too would like a slow painful death for Real, but I want them gone and not used as soon as possible.
Not that I listen to them but I was overjoyed when I heard that click and clack(I dont listen so I don't know how to spell it) had dropped the real audio format for thier show archiving.
I wish more people would take a cue from this and drop it at least in favor of WMA(it may suck but I can play it on winamp). Something, anythi
Re:Instructions (Score:2, Interesting)
Re:Instructions (Score:2, Insightful)
Re:Instructions (Score:2)
Like winamp?
Re:Instructions (Score:2)
I agree with you, but so what? Aside from the allegely evil DRM scheme that I haven't even noticed on anything I've ever used MediaPlayer for, I can't see anything wrong with it. Yes, it's bundled, but why should I have to pay for something that ought to come with the operating system? Sure, it may be a monolopy, but it's a
Re:Instructions -- Alternative Codecs (Score:2, Informative)
There has been significant development on "alternative codec" to both Real and Quicktime. Google for "Real alternative" or "Quicktime alternative" to find the codecs. They can also be downloaded in a "bundle" of sorts from here : http://www.k-litecodecpack.com/
I've used the quicktime one with Media Player Classic and have been very happy with it.
I kind of despise Real player, and rarely find any good content that uses it, so I haven't actually wa
Re:Instructions -- Alternative Codecs (Score:2, Informative)
Re:Instructions -- Alternative Codecs (Score:2)
I, too, use Media Player Classic on my winboxen.
But because MPC merely uses the Real codecs, what if the vulnerability is in the DLL for the codec, not the player?
MPC could be as vulnerable as RP8 or RealOne, at least until we figure o
Re:Instructions (Score:2, Insightful)
I Agree wholeheartedly. I had to install from an old copy of RP8 just to watch video from washingtonpost.com because of the inability of RP10 to install properly on my box. I consider myself lucky to have found the install file on another box in my office. They and QT both suck, but they are necessary evils to get th
You know nothing. (Score:2)
I hate Real, and I hate Quicktime. [ . . . ] I honestly want them both out of the way so that more open standards will take their place faster.
Quicktime is a wrapper, not a file format. As such, it supports open standards. [apple.com]
The fine print (Score:4, Interesting)
Thanks, I needed that.
Great, Just %$*# Great! (Score:4, Funny)
What's the world coming too?
YAAAAAAaaaaaarrrrgh!!!!
So the exploit would go something like... (Score:5, Funny)
Re:So the exploit would go something like... (Score:5, Funny)
Re:So the exploit would go something like... (Score:2)
(whats with
Shades of MS? (Score:5, Funny)
To prevent maliciously formatted video streams from providing a backdoor into your system, type the video stream by hand and verify that it contains no malicious code.
Type THAT! (Score:5, Funny)
To prevent maliciously formatted video streams from providing a backdoor into your system, type the video stream by hand and verify that it contains no malicious code.
Anybody out there who can type at 128 kbps?
Re:Type THAT! (Score:5, Funny)
Anybody out there who can type at 128 kbps?
Yes, but not without a good deal of ...buffering... going on.
Everytime a Real story shows up on slashdot, I'm tempted to post this [afraid.org]. Looks like I couldn't resist!I love the disclaimer... (Score:5, Insightful)
Re:I love the disclaimer... (Score:2)
and that's one of the reasons why they don't deserve to have their products protected by patents (even if software patents weren't a horrible idea anyway)
at least "real" products are covered by the Sale of Goods Act (UK) etc. to guarantee a certain level of quality - you give a little, you get a little.
take responsibility or fuck off.
Re:I love the disclaimer... (Score:2)
software licenses say that the software isn't guaranteed to be fit for anything at all, not even the purpose it's advertised for.
Re:I love the disclaimer... (Score:2)
Re:I love the disclaimer... (Score:2)
B.S.
it's okay for free software to be provided "as-is" without guarantee.
it's a completely different story when commercial software is advertised and sold for a specific purpose but then says in the mandatory agreement that you mustn't have any expectations that it works at all.
Re:I love the disclaimer... (Score:2)
Nobody can guarantee that their software is bug-free, but if it turns out to have bugs (defects), the manufacturer should either make a clear, genuine and kick-a
Are all RealPlayer versions affected? (Score:3, Interesting)
Re:Are all RealPlayer versions affected? (Score:5, Informative)
From the second link, of all places:
"Exploit 1" affects RealOne Player, RealOne Player v2 for Windows only (all languages), RealPlayer 10 Beta (English only) and RealOne Enterprise Desktop or RealPlayer Enterprise (all versions, standalone and as configured by the RealOne Desktop Manager or RealPlayer Enterprise Manager).
"Exploit 2" affects RealOne Player, RealOne Player v2 (all language versions, all platforms), and RealOne Enterprise Desktop or RealPlayer Enterprise (all versions, standalone and as configured by the RealOne Desktop Manager or RealPlayer Enterprise Manager).
"Exploit 3" affects RealOne Player and RealPlayer 8 (all language versions).
Re:Are all RealPlayer versions affected? (Score:2)
Re:Are all RealPlayer versions affected? (Score:2, Interesting)
So, in nature, the flaws like these are cross-platform (ie, Mac O
Re:Are all RealPlayer versions affected? (Score:3, Informative)
Yet another reason to not use it, and use this... (Score:4, Interesting)
Sorry, but... (Score:2)
Re:Sorry, but... (Score:2)
List of vuln [buffering] (Score:5, Funny)
Exploit 1: To operate remote [buffering] from the domain of the [buffering] opened by a [buffering] file or other file.
Exploit 2: To fashion [buffering] which allow an attacker to on a user's [buffering]
Exploit 3: To fashion [buffering] create Buffer Overrun errors.
Affects real player alternative too? (Score:3, Interesting)
Would these same sorts of vulner's apply to Real Alternative [k-litecodecpack.com] too, or does the active X wrapper prevent the hack?
Re:Affects real player alternative too? (Score:2)
The vulnerabilities are in the player, not the codec it seems.
Re:Affects real player alternative too? (Score:5, Informative)
However, since Real Alternative is a reverse-engineered program, it's highly doubtful that they failed to check the same buffer that Real failed to check, so it's unlikely they have the same flaw in their code. If the Alternative has the same bug, then it starts to be likely they stole the code... let's hope we don't have to go there.
Wrong (Score:2, Insightful)
No, its simply an ActiveX wrapper for the original Real dll's, nothing is reverse engineered
then it starts to be likely they stole the code
from where ?
even Real's pseudo-open-source helixcommunity.net the non important gui crap is open but the codecs (the important bit) are still very much closed source and binary format only, so no stealing code as there is none to steal
so yes Real alternative contains this flaw, but if you want to patch it by installin
I never noticed any corruption in the stream (Score:5, Funny)
Re:I never noticed any corruption in the stream (Score:3, Interesting)
Now, if you want the present "Plus" feature set, you have to subscribe to GoldPass and pay for it every mont
Conspiracy (Score:4, Interesting)
say you have just written a nice little piece of "value-adding" code, say you work at Real, say your boss likes it and would like for every Real customer to have it.
Both of you would know that a person like me keeps Real Player on my computer only for those "must have real" moments and want nothing further to do with Real.
Well, well, well, how can they get me to "upgrade" to their new "spyware" (tin foil here)? That's right - hire a 3rd party to "find" very, very nasty bugs...then claim to have THE SOLUTION!!!! Get the NEW version....with the crapware!!!
br.horyryaryyaryaryyy!!!
The thing is... (Score:5, Funny)
Then you must send 34 seconds of a certain portion of the movie 'Deliverance' over a period of 22 minutes.
These two things must be accomplished while repeatedly hitting 'alt-f4' on your keyboard, and screaming, "Damn you Real Player! Damn you to Hell!' like a woman.
Of course, if you reboot you'll have to start all over again, after a slight delay.
Um, a longer delay.
Ok, you get one shot at this, I guess. At least the exploit is consistent with their user interface.
Re:The thing is... (Score:2, Funny)
Re:The thing is... (Score:2)
That's not an exploit. That's an easter egg.
Not on OS X? (Score:5, Informative)
Hm, once again, nothing to worry about.
Re:Not on OS X? (Score:2, Informative)
What combination of the following does this mean:
a) The OS X version isn't affected?
b) The OS X version is affected, but Real hasn't released a fix?
c) That Real's comment is incomplete?
d) No one knows?
So they want you to get the new version? (Score:3, Informative)
Has anybody tried Real Alternative [hccnet.nl]?
Re:So they want you to get the new version? (Score:2)
Re:So they want you to get the new version? (Score:2)
Hmm (Score:2, Funny)
What about Real Alternative? (Score:5, Informative)
Re:What about Real Alternative? (Score:2)
Actually, I want to know if anyone knows yet if the exploits affect RealAlternative or not.
TiggsWon't stop me using it, though. 'Cos at least I can stop it from misbehabing and actually deinstall the damn thing if I need to. I don't trust RealOne to even get the latter right.
Re:What about Real Alternative? (Score:2)
POS Software (Score:2, Informative)
I installed "V10" today and unchecked EVERYTHING about internet connections, update checkers, shortcuts, file associations etc and the damn thing still did it anyway. I eventually copied it to my gentoo box and mplayer handled it fine besides not being able to q
My predicament... (Score:3, Funny)
Possible Solution: If we can get the pr0n industry to take an interest in OSS, then Linux on the desktop would excel!
Re:My predicament... (Score:2)
This one is too easy. (Score:5, Funny)
Spyware, adware, "helpful" browser adjuncts.
Oh, wait, you mean another malicious attacker!
-- MG
Buffering... (Score:5, Funny)
The Three Vulnerabilities are.... (Score:4, Funny)
RealNetworks, Releases Update to Address Security. (Score:3, Informative)
The specific exploits were:
* Exploit 1: To operate remote Javascript from the domain of the URL opened by a SMIL file or other file.
* Exploit 2: To fashion RMP files which allow an attacker to download and execute arbitrary code on a user's machine.
* Exploit 3: To fashion media files to create "Buffer Overrun" errors.
While we have not received reports of anyone actually being attacked with this exploit, all security vulnerabilities are taken very seriously by RealNetworks. RealNetworks has found and fixed the problem.
Affected Software:
"Exploit 1" affects RealOne Player, RealOne Player v2 for Windows only (all languages), RealPlayer 10 Beta (English only) and RealOne Enterprise Desktop or RealPlayer Enterprise (all versions, standalone and as configured by the RealOne Desktop Manager or RealPlayer Enterprise Manager).
"Exploit 2" affects RealOne Player, RealOne Player v2 (all language versions, all platforms), and RealOne Enterprise Desktop or RealPlayer Enterprise (all versions, standalone and as configured by the RealOne Desktop Manager or RealPlayer Enterprise Manager).
"Exploit 3" affects RealOne Player and RealPlayer 8 (all language versions).
Workaround:
Dont run our shit.
The Microsoft response (Score:2)
The next version of Real Player will have the ability of plaing *.rma and *.rmv files removed to protect end users from the evil internet.
All users of Real Player are urged to update their player. An email virus^H^H^H^H^H^H will be sent to every registered user containing a patch to be executed as the Administrato
Gah! (Score:2)
Well, i do backup regularly....
"upgrade to the latest" strategy, no real patching (Score:5, Insightful)
So I run RealPlayer8 Basic when I need to. Their fix is to have me replace it with RealPlayer10 Gold? I don't wanna.
I also don't like having to upgrade to a newer set of local softwares simply because the "file format" has changed. There aren't that many advances in formats/compression over time, and it seems to me that: new formats are released more frequently than necessary, thus "requiring upgrades" to new readers of said formats.
(A) Patch the buggy apps you still support; don't make us install new (less well tested) software so often;
(B) Don't tie the desire to distribute your latest code to [often] unnecessary media format changes.
"I Sam thee to Dayton! (It's worse than Cleveland.)"
Helix? (Score:5, Interesting)
Anyone familiar with the Helix project (www.helixcommunity.org [helixcommunity.org])?
From the website:
The Helix community is a collaborative effort among Real, independent developers, and leading companies to extend the Helix DNA(TM) platform, the first open multi-format platform for digital media creation, delivery and playback. The Helix DNA platform is comprised of the following:
* Helix DNA Client
* Helix DNA Producer
* Helix DNA Server
* RealAudio and RealVideo codecs
I'm not too familiar with it but is it a step in the right direction for a company that once used to be on the cutting edge of digital media and now is trying to get back in the game? Or is it just another one of their corporate blood sucking tacticts? What are your thoughts?
Malicious code? Nasty (Score:2)
Watch out, with a hole like that someone could install any malicous code. Trojans, spam machines, even Realplay...what? Oh...nevermind.
Where's this "popular" RealPlayer? (Score:2)
And I haven't tired of putting "things" in "quotes", either.
can't find the free player? neither can "car talk" (Score:4, Interesting)
when major broadcasters are dumping real's products due to their "betcha can't find the free version" antics, maybe real would wisen up and actually make good on their "free" players.
not that i care - real alternative [hccnet.nl] and media player classic [sourceforge.net] take care of my windows-based media viewing just fine, minus all the spyware and other crap.
The "Fix" is to upgrade to RealOne -- no thanks! (Score:3, Insightful)
For people using RP8, the "fix" is to upgrade to the latest RealOne player (V2).
Given those choices, I think any remaining RealPlayer users will choose to uninstall the software.
Re:Helix? (Score:2)
Re:Linux (Score:3, Funny)
slip-up at a social cocktail party, since they're hardly invited
STDs transferred during sexual intercourses and foreplay with persons of opposite sex
overspending on deodorant
huge water bills due to frequent showers
complaints from Mom about yet another basement party
Re:Linux (Score:2)
Why? BECAUSE I DIDN'T INSTALL IT.
Realplayer really pisses me off. It's like adware central for one, and then the streams itself are horrible and buggy. I just don't deal with it anymore.
It's just the worse. When I go to a website that has a link to a RealPlayer sound bite, I don't even bother with it. I don't care if it's the secrets of the universe I wouldn't click on it. And don't get me started about the proprietary format that they use.
If Mplayer can't play
Re:Linux (Score:2)
But they did mention that any harm done to the machine would be under the context of the logged in user. Unless you're surfing as root (very stupid) I doubt much would happen.
Re:Linux (Score:2)
Windows repair: Boot from Mandrake CD. (Score:2)
Re:Does this even matter? (Score:2)