RealPlayer Zero-Day Flaw Under Attack

openOption writes "ZDNet is reporting that hackers are actively exploiting a zero-day hole in RealNetworks' RealPlayer media player, a software program installed on tens of millions of Windows computers worldwide. The in-the-wild attacks targets a previously unknown and unpatched ActiveX vulnerability in the way RealPlayer interacts with Microsoft's Internet Explorer browser. The flaw is causing drive-by malware downloads when an IE user simply browsers to a maliciously rigged Web page."

Installed by millions...

[Anonymous Coward]

Used by no one... until now.

I suppose, it's a buffering ...

[Anonymous Coward]

overflow exploit, right?

Re:

[Sillygates]

This wouldn't be a problem if companies like Dell(?) didn't preinstall RealPlayer on computers.

Re:

[Zymergy]

That is why we have the PC Decrapifier: http://www.pcdecrapifier.com/ [pcdecrapifier.com]

Re:

[conlaw]

Thanks for the link. I'll probably have to set up a Windows box for my niece before she starts high school and it sure would be great not to have to go remove all the crap by hand.

Re:

[sh3l1]

Why do you have to install this? Wouldn't this be more crap on your computer?

Re:

[Zymergy]

It is a batch uninstaller that saves you lots of TIME as it uninstalls the CrapWare/TrialWare factory installed on so many OEM PCs in one operation and reboot.
And you don't need to uninstall it as it is merely a free standing executable application (and it even offers to create an XP/Vista restore point if you want/need to undo changes).

I do correct myself in pointing out that I was in error when I ~assumed~ that the PC Decrapifier uninstalled "RealPlayer", I feel it should be on the list of detected cr

Re:

[Zymergy]

In your example to the good post from calebt3, in the case of certain virus infections, or other malware which infects the windows restore feature, you would likely need to disable 'system restore' it to effectively clean/scan your system
(and you would lose the saved restore points)
You might want to obtain your specific system's Original Dell Windows XP OEM Installation disks.
You can get them from Dell here: https://support.dell.com/support/topics/global.aspx/support/dellcare/en/backupcd_form [dell.com]
If Dell

Re:

[Ilgaz]

That is why we have the PC Decrapifier: http://www.pcdecrapifier.com/ [pcdecrapifier.com]

I got a better solution. Don't buy Dell, buy from a company who respects your rights to choose your own software.

Windows, Linux, Apple doesn't matter. There are companies like that.

Deep level issue is, this issue somehow related to IE and ActiveX. Good luck removing them from Windows ;)

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Installed by millions...

[VagaStorm]

From Wikipedia:

A zero-day (or zero-hour) attack is a computer threat that exposes undisclosed or unpatched computer application vulnerabilities. Zero-day attacks take advantage of computer security holes for which no solution is currently available.

Good thing I don't use Real

[Anonymous Coward]

Greased up Yoda doll
Puckered anus
GO LINUX!

Re:

[Slashcrap]

I still don't have clue why Real spares their time and money to a platform they don't make any money from and get flamed even while they offer their million dollar assets (patents) for free to open source developers.

Yes, they are the same stupids who offers a complete media player solution to your AC favorite system along with its source code and complete framework.

Yes, but it sucks. Free crap is still crap and I don't quite see why I should thank someone for handing me a pile of shit.

As an example I recent

SOFTWARE PROGRAM!!!11111```oneone

[Anonymous Coward]

a software program

I like software programs. They run well on my computer PC and look nice on my display monitor. My computer PC works well, all the way from the electric power cable to the Ethernet network card, the hard disk hard drive, and my wireless keyboard keyboard and mouse mouse.

(What are synonyms for keyboard and mouse?)

Re:

[Penguinshit]

HID

Oh, relax....

[Foerstner]

You seem to be inexplicably tense. Perhaps you should relax for a while and watch a television program.

Or go to the theater, and watch a play. If you have any trouble understanding it, you might find more in the program they give you. Hold on to it, they're collectible.

Whatever you do, though, don't rely on alcohol to relieve your anxiety. If you become dependant on it, you may need a twelve-step program to get yourself back on track.

Re:

[Oktober Sunset]

All those use of 'program' are incorrect, they should all have been 'programme'.

You fail at both language and making a point.

Re:

[lostguru]

um not according to my dictionary, perhaps you should try speaking american?

Re:

[Antique Geekmeister]

No, he failed at being British. In the US, it's spelled "program".

Re:

[adona1]

And in Australia, it's spelled "pogram" [wikipedia.org] :)

Re:

[Curmudgeonlyoldbloke]

a software program

As opposed to a hardware program used by something like a Jacquard loom, presumably....

Re:

[jcuervo]

"Alphanumeric keyboard" and "computer mouse"?

Re:

[lenroc]

"Alphanumeric keyboard" and "computer mouse"?

Looks like someone confused verbosity with redundancy

Re:

[rlbond86]

Hey, electric power is not redundant. There are other types of power as well. /is an electrical engineer

Re:

[calebt3]

You mean sarcastic satire.

Whew!

[dedazo]

God, I'm so glad I bought a computer with Windows XPN, which thanks to the wisdom of the European Union and RealNetworks' claims of unfair competition against their cuasi-malware player, does not include Windows Media Player! Yes, instead the OEM installed... oh, wait. They installed RealPlayer. Holy sh #$!@&*^} NO CARRIER

Re:

[athdemo]

Just don't use the internet, you'll be fine. Wait, nevermind, RealPlayer? You'll never be fine.

Hackers are the least of their troubles...

[Ecuador]

I don't want to be a troll, but people who install Real Player are asking for trouble.
Wow, I just had a scary thought I managed to block just in time before passing out: Real Player. On Vista.

Re:

[athdemo]

I swear I haven't seen or heard from RealPlayer in like 5 years, it's still around? And people install it?

Re:

[Jugalator]

For some reason, it can still be popular on various news sites and so on, so yes, people hence use it. I guess Real simply give them some irresistible deals, because surely they aren't stupid enough to willingly use that format? I can admit that the most modern Real formats are pretty good, but the standalone player and all that isn't.

Re:Hackers are the least of their troubles...

[Angostura]

I can't speak about the windows version, but the OS X implementation of the free player is actually very nice to use indeed: fast and lightweight. It's the format I choose for listening to and watching BBC streaming feeds.

Re:

[networkassault]

It's also easy to uninstall. Just drag it to the trash (along with all other files that comes up when you run a spotlight search for realplayer), then just hit Command, Shift, Delete. Then again, I uninstalled IE from Windows 95 machine. Anything is easy to uninstall after that.

Re:

[Buran]

Good luck installing the file manager. Yeah, that'll get you real far. It'd be like yanking the Finder out of my Mac (which has not and never will have a problem with this flaw...)

Re:

[Buran]

I mean, UNinstalling. Hello, this is 2007 and there's no edit button? And what's with this lame "to give everyone a chance to post" bullshit? It's 2007, computers can handle more than one simultaneous query.

Re:Hackers are the least of their troubles...

[egypt_jimbob]

Seems simple, just assign the browser ring 3 security. Oh wait, its Windows (and the user is Administrator with no password).

A spammer can still send spam from ring 3. A botnet herder can still run a bot from ring 3. A phisher can still change proxy settings from ring 3.
Ring 0 only adds stealth to attacks that work just fine from ring 3.

Re:

[mindbooger]

Eh, it's more open (with the Helix stuff?) and more multiplatform than Microsoft's alternatives (is even Mplayer with binary codecs able to play DRM'd WMVs? And even their new Silverlight, despite allegedly for Mac and Windows, is OSX x86-only -- there's a buttload of still-useful PowerPC machines still out here).

And with most sites I've seen that offer streaming content, those are my two choices -- Real or DRM'd MS (if I'm even lucky enough to have a choice of something non-MS!). Or Flash. Ooh, yeah, that'

Re:

[Ilgaz]

If it is DRM, I would choose Real DRM because they actually make money from their servers. They do it for living, MS does wmedia to give hell to people who dares to reject using their OS.

Fortunately their "Lets give sites wmedia server free so they will serve our junk format" failed horribly after Flash took over the embedded video market thanks to hassle free installation and being multiplatform. Now the MS geniuses came up with "SilverLight" aka "Flash killer" (!) and naive or well paid usual suspect deci

Re:

[t1n0m3n]

don't tell the mr poop sniffer spam guy

Re:

[Draek]

yup. It works on Linux, it's fast, lightweight, and it's used by reputable news sites [bbc.co.uk], something that can't be said of any other video codec.

Re:Hackers are the least of their troubles...

[Dishevel]

I love Real Player. Its icon is pretty and when I click on some things on the internet it works sometimes for me. If it dose not work I just figure that the people putting that bad stuff on the internet must not know what a wonderful company Microsoft is for people like me. Now if you will excuse me I need to click on something real fast so AOL doe not disconnect me again. All I need is MS programs that I can use while online with AOL with my wonderful CABLE COMPANY connection to the internet.

Not in Vista

[El Lobo]

The vulnerability doesn't affect IE in protected (sandboxed, default) mode on Vista, of course.

WARNING MS SHILL

[Anonymous Coward]

Nobody uses Vista because Vista's not compatible with Windows.

You are attempting to laud Vista on slashdot

[Anonymous Coward]

[Cancel] or [Allow] ?

Re:

[Anonymous Coward]

Actually it does. If you bothered to learn the underlying components(below the API) you wouldn't sound like such a dolt.

Re:Not in Vista (Permit Deny Allow)

[WillAffleckUW]

Would you like to permit this song to be played?

How about this song?

How about this one?

(repeat 50 times)

(user unchecks security check)

Re:

[SEMW]

I don't think you understand. Playing media files in realplayer would not require elevation, since playing a song doesn't need root privileges. Playing media files in internet explorer would not require elevation either, since though IE is sandboxed, playing media files wouldn't require IE to write to anything other than the 'temproary internet files' directory. But if a webpage tries to install malware, that would require writing to a directory other than temporary internet files (so needs user privileg

Re:

[suv4x4]

I've no particular reason to reply here, but check the other replies.

They're actually insulting, ranting, cussing, since you mentioned Vista isn't vulnerable. Makes me sad of Slashdot, you know?

Re:

[The Master Control P]

In other words, Vista/IE7 are on par with every other non-Microsoft OS/browser in this particular aspect. That's good news, but don't color me too impressed.

Re:

[recoiledsnake]

You mean every other non-Microsoft OS/browser has a sandbox model to stop exploits from running over user files? Can you name a few or were you just karma whoring the groupthink?

Re:

[The Master Control P]

Something like running firefox/konqueror with sudo -u nopriv_user under Linux? Or if you're paranoid, setting up a chroot jail or BSD jail?

Experts Quickly Noted However....

[rel4x]

...that the viruses using this attack were still easier to uninstall than RealPlayer itself.

Comment removed

[account_deleted]

Comment removed based on user account deletion

It's worst then that

[Liquidrage]

The malware that gets installed is, itself, Real Player.

Affected computers are stuck in a feedback loop where Real Player installs itself over and over again.
The space-time continuum is breaking down as we speak.

Re:

[Xtifr]

dpkg --purge realplayer

Does the trick on my system. I also note that this is not a flaw in Realplayer! If it were, I would be vulnerable, but since it relies on ActiveX, which I don't have, I seem to have have litle to worry about. This is (Yet Another) ActiveX exploit. Yawn. Even the open source guys (and these days Realplayer is mostly open-source except for their one special codec) can't make a Windows-based system secure.

Huh.

[ripewithdecay]

I had no idea people still use RealPlayer.

Re:

[SEMW]

"To Listen Live, or Listen Again to shows you have missed, on the BBC Radio Player you will need to have ... RealPlayer installed on your computer." (source: The BBC [bbc.co.uk])

Video press release

[operagost]

Real has posted a video press release on this. I would like to tell you more, but it's still buffering. Maybe they should use Media Player for their press releases.

I wouldn't worry...

[Deacon_Yermouf]

It's going to take a while for the virus to stop buffering....

Real Alternative

[gravis777]

http://www.free-codecs.com/download/Real_Alternative.htm [free-codecs.com]

Now I just have to worry about unpatched holes in Windows Media Player!

Truthfully, I already have one bloated Media Player that is part of the OS on my machine, why would I want to install another?

BTW:
http://www.free-codecs.com/download/QuickTime_Alternative.htm [free-codecs.com]
To take care of that OTHER bloated media player

Re:

[0xygen]

Is the vulnerability not in the actual codecs and plugins, which are the same ones used by Real Alternative?
My impression was that both Real Alternative and Quicktime Alternative both just distribute the official codecs in a package that does not install the surrounding junk.

Surely there is a good chance this still leaves you (and me) vulnerable?

Any Proof Of Concept to test with?

Re:

[Rob Simpson]

Not the codec, but yeah, it would probably be in "RealMedia ActiveX control 6.0.12.1741 allows you to view RealMedia content that is embedded in a webpage. The RealMedia ActiveX control supports Internet Explorer." [edskes.net] Choosing not to install this component would solve the problem, though.

Re:

[junglee_iitk]

According to Karl Lillevold [doom9.org], a (lead) programmer for Real Player, Real Alternative is nothing but rebundled DLLs from Real Player in a wrapper for support other players. Thus, it is still exploitable.

Brought to you by a linux-user, Real(TM)-hater/uninstaller. I uninstall it on every computer I encounter :)

Re:

[antdude]

But, how do we know if RA's codecs aren't vulnerable? It has ActiveX plugin too.

Re:Real Alternative

[suv4x4]

http://www.free-codecs.com/download/Real_Alternative.htm [free-codecs.com]
Now I just have to worry about unpatched holes in Windows Media Player!

Actually "Real Alternative" and "QuickTime Alternative" uses ripped off binary libraries straight off the official apps. It's quite likely you're vulnerable as well.

Re:

[DogDude]

Have you ever considered doing something as exotic as uninstalling WMP?

Get with it

[Skiron]

New marketing name -> RealTrojans (or viruses/worms, whatever). Sales are UP!

No need to worry! - Screen shot of virus.

[Anonymous Coward]

You have been infected by a RealPlayer virus! Muahahah! In 5 seconds, your hard drive will be form ...buffering... ...buffering... ...buffering...

Worried? Nah

[jdjbuffalo]

All 5 people who still have Real Player installed are in for a world of hurt...

browser, -noun, a person or thing that browses

[piratesyarr]

The flaw is causing drive-by malware downloads when an IE user simply browsers to a maliciously rigged Web page.

I like the use of the word browser as a verb.
Also, drive-by malware downloads? This hood is no longer safe, yo!

Re:

[raehl]

Besides, isn't a drive-by more of an upload?

Re:

[rts008]

Depends on which end you are on- the giving end (upload), or the receiving end (you end up as Son of Goatse).
You seem to be coming from the 'giving end' perspective...nothing wrong with that- better to give than receive as they say!

On a serious note, WTF?!?!?
Why is anyone still using ActiveX for anything? It's propensity for Bad Shit (TM) has been legendary for too long for this crap to keep happening. Anyone still using ActiveX needs beaten unconscious with a clue stick...last century!

As others have previo

"Browsers to a maliciously rigged Web page"

[rho]

Please, no more stupid verbs-nee-nouns.

"Blog" should have been smothered in the crib, let's not loose another monster.

just a typo.

[Skadet]

I think they meant to write "browses". Could have been a typo (the E and R are right next to each other), could have been a brain fart linked to muscle memory, but I really doubt someone's trying to introduce "browsers" as a verb.

Re:

[Actually, I do RTFA]

Come on, I love verbing words.

Re:

[CopaceticOpus]

Kids these days and all their browsering... they're going to catch the malware!

Re:

[Adambomb]

although from what I've read, verbing weirds language.

Re:

[geekoid]

So you want to crib it?

I may go home a crib.

Smell you later.

real player still part of google pack (beta)?

[sillyphisher1]

Last time I saw real player was when I installed google pack on a windows machine years ago. I love picasa and google earth, and at the time a few of the other packages seemed like nice things to get all in 1 install. Real player was the deal killer- I never could figure out what good it was. It seems like it spent more of my time and CPU cycles trying to sell me on an upgrade than doing anything useful. What was/is google thinking on that one?

Re:

[Bryansix]

Ug, Picasa sucks. I still can't figure out what it really DOES. When I installed it I couldn't get it to do a single thing.

Re:

[Billly Gates]

Real player is not the pos it once was and the spyware is all gone and it is ok today. TO me the included Norton virus scan causes much more issues with speed than the real player.

Soon to be on Slashdot:

[JK_the_Slacker]

Next up: Spam with attached Realmedia files that redirect to "stock sharing sites."

Real Player still exists??

[GPL Apostate]

I remember 'registering' Real Player back in the 90's so they sent me a CD-ROM with the 'paid for' version that had a 'record' button (for those really, really rare instances where a server allowed you to record the stream.)

Is Real Player still around???

Re:

[this great guy]

Is Real Player still around???

No. This /. story is a dupe from the 90's.

it's 2007...

[logicassasin]

... and people still use Real anything...

Wow.

After that wretched "G2 Phone Home" crap and the whole "tell me who your are so I can spam the hell out of you unless you use a fake email address like 'realsucks@pissoff.com'" crap, I'm really suprised ANYONE uses the stuff. I haven't come across a single site in the last few years that uses Real to stream, and all of my musician buddies stopped encoding in Real format back in 2001 or so.

File this exploit under "does anyone really care?". It's like finding a zer

Re:

[Antique Geekmeister]

Apparently, the BBC's Iplayer project just announced that they'll also be providing content in Real, because a stack of Linux, Mac, and other software users got extremely upset their content could only be viewed with Windows Media Player. So, it's true that Real is around and will be around for a while, namely to provide an alternative to Windows Media Player.

Now, if they'd just give up on calling files tagged as .rpm as Real files, and save them as software packages and save me having to use the "save as"

Re:

[Ilgaz]

Well I think you blame people for not keeping up with trends but you are in fact, out of date yourself.

Things since Real G2

1) Real changed entire management staff who was in charge for bundling things or deciding very plain GUID sending to SERVER which could be risk for privacy.
2) Real opened the entire source of player/framework except million dollar worth codecs which nobody can beat on low bandwidth scenarios.
3) Real patented their inventions and said "it is free to you if it is open source project" to d

The Sole User of Real Here

[WebmasterNeal]

I still use the real player. Really the only reason I do is becuase the 100+ downloaded south park episodes I have from southparkx.net are encoded as .rm files and are better quality (for a 36mb) than anything else. Honestly though, people rip on Real but I think itunes & quicktime (bundled together mind you at 50mb+) is a much inferior product than Real. Apple and Adobe are two of the worst bundling companies out there.

Drive-by?

[mig174]

drive-by malware downloads? good thing I got a MAC

Re:

[mosschops]

Actually, it's because you have a MAC that you're vulnerable. Without one you'd not have a network connection, and you'd be perfectly safe from this attack.

Now, having a Mac would make having a MAC much less risky than under Windows...

What is ActiveX?

[WillAffleckUW]

I disabled that on my WinXP a looooooonnnnnnnngggg time ago.

MIT open courseware & Realplayer

[Ethanol-fueled]

The evil Realplayer is still required for some MIT open courseware. They should convert those files ASAP.

Only affecting badly managed systems

[pe1chl]

The flaw is causing drive-by malware downloads when an IE user simply browsers to a maliciously rigged Web page

Of course this flaw only affects badly managed systems where the user is browsing the Internet while logged on as an Adminstrator.
Microsoft is trying to discourage this but the users are too stupid to realize what they are doing wrong, and keep adding themselves to the Administrators group and keep trying to get rid of "annoying" popups that tell them they need to supply their password before the s

Virus through RealPlayer...

[6Yankee]

Buggering... Buggering... Buggering...

Re:

[cnettel]

And what about Netscape plugins? This is not "download ActiveX controls on demand" which was chastised and basically isn't around anymore. This is the fact that some apps on your machine say "hey, I know how to handle some data on the net, just load this dynamic library of mine and hand it the data, and I'll render it neatly in the browser".

Re:

[cheater512]

With ActiveX anyone can make something automatically execute.

With Firefox's plugin search there is a predefined list.

Re:

[scubanator87]

All to true! A while back [adult swim] used to require activex to watch watch their videos on line. They kicked that to the curb since they realized that their demographic is the same demographic that is most likely to not use IE/ activex! They got the picture so should every one else!

Re:

[Anonymous Coward]

This vulnerability has nothing to do with ActiveX. ActiveX is just one method of hosting a plugin. Any method of hosting a plugin would be exactly as vulnerable. Anytime a browser accepts data from an outside source and passes it onto a library to handle that is a possible point of attack. There have been plenty of vulnerabilities found in non-ActiveX plugins for Internet Explorer and other browsers. There have been vulnerabilities found in the very libraries used by the browsers to display common cont

1997 called. They want their security alerts back

[El_Oscuro]

I remember first reading about activeX security vulnerabilities in one of the O'Reilly nutshell books about website design. The book also covered controversial topics such as the use of the <BLINK> and <TABLE> tags in HTML.

Re:

[pe1chl]

It would be sufficient when your workstations were setup a bit more securely, and you would not be working as an Administrator or Power User all day.
When using a Windows system as a normal user, those exploits do not stand a chance. That would be similar to using Linux as a normal user, not root.

Of course far too many wannabe-windows-admins have yelled "cannot do that, need to be admin to run many programs" because they found that in 2000 and never checked again.

Re:

[pe1chl]

I work as normal user on XP all day, and so do all our users. Only incompetently managed XP systems provide "a very bad user experience" in that case.
Most admins are not interested in finding out how to manage their systems, they prefer quick-and-dirty methods even when it hurts security. When they have tried to install Vista the first thing they are looking up on internet is how to get rid of those "allow or deny" popups :-(
With a little more study of the matter they would be able to get their systems se