IE + RealPlayer = Security hole If you have RealPlayer installed and use Internet Explorer to browse the web, beware: an exploit in circulation can allow an attacker to take complete control of your machine, Symantec is warning. Attacks targeting the most recent version of RealNetworks' music and video player were first observed Thursday night. They exploit …
You forgot the best advice of all.. Don't f'ing use that piece of crap known as Realplayer. Realplayer hasn't been decent for the better part of a decade. If you really must view .rm files (and I personally just do without if I can't find alternate encodings), for the love of all that is holy in IT.. use Media Player Classic or what not.
.. although, using Firefox is a step in the right direction.
The best piece of advice, surely, is that you should immediately disconnect your cable/adsl/telephone line/paper cups & string/carrier pigeon from your computer at the earliest opportunity?
That way the evil scourge of the Internet need never be a problem again! And whilst you're at it... you may as well take that odd box that sits under your desk which connects to your keyboard & mouse outside, and then run over it a couple of times with the nearest available tank. It'll guarantee you remain (electronic) virus/trojan free...
*Ahem*
The title should have read "IE + ActiveX = Security hole"
Realplayer was a good thing when it started, I used it for quite a few projects because of the html linking and authoring aspects. The only other thing available at the time was the WMV generator from MS, and apart from it not having any capabilities other than format conversion, it was from MS, so I steered clear.
Too many people jump on the "slag Realplayer" meme today, who have never used it or produced with it, just because it's "funny". I was doing online video over 6 years ago, before flash became the ubiquitous method it is today. For the price and the capability, Real was the best option.
But no, it's easier to have a go at Realplayer for what is essentially the same old MS problem, allowing a public interface to affect private resources. I seem to remember Windows Media player having many similar flaws to this one, and probably still does.
Essentially, if I had the time over again, I would still pick realplayer over WMP, in the same way as I jumped straight onto Phoenix/Firebird/Firefox. Separate the components, and limit the damage. Remember, realplayer doesn't need to be running for this exploit to work, so what's at fault ? IE , the ActiveX model or Realplayer ?
The real solution would be for websites to just offer proper files for direct download and local playback. You can still start playing the file as it downloads, but you then have none of the disadvantages of streams, such as the ability to accidentally lose connection midway through, and then have to re-start at the beginning. Then, just us an external player for the mpeg[1,2,4] file.
Incidentally, I'd love to see a "Plug me not" extension for firefox, which does the same as konqueror: all plugins are replaced by a button, and the plugin is only started on request. Eg flash,java,etc are too useful to uninstall, but they should only run when prompted. Flash adverts should never run, even when running a flash plugin to display content on that page.
Look at all these cool people declaring that they've not used real player since 1859, and that they all use FF because it is 'teh 1337'... how cool are they?
The fact remains that different browsers offer different benefits, different media playser the same. It is stupid to claim your choice is better than anyone elses. The point people should be making is
"Telling people to turn on prompting before using ActiveX functions? Who doesn't?"
Come on puppies... the vast majority of the IT managers reading and posting here use FF because their kids suggested it anyway. It doesn't make you any less pathetic, especially since FF is still very buggy. Out of the thousands of available browsers (not including using LWP to make your own) why do you think there are only three or four in contention? Because you all do what you're told, and suffer for it when an exploit is released
Now this is something I advocate! I've had Real Player crash IE6 on websites that don't even have any Real Player content on it.
And how'd I figure out it was Real? Turned off browser extensions, then turned them back on (Internet Options / Programs / Manage Add-Ons) one by one 'till I found the culprit. Now that's good ol' fashioned troubleshooting.
I wish I could remember the site that crashed it. It was some travel deals site used by travel agents... at one point an update from Real fixed it until a few days later, then I gave up on the damned thing. No one noticed.
Install Media Player Classic and Real Alternative (which includes MPC anyway). Now you can still decode Real media streams, files, etc.
I install CCCP which includes MPC, and then install Real Alternative Lite, which doesn't include MPC. That way CCCP has pre-configured MPC and it mostly Just Works for just about anything.
Real Player has always been risky - I remember 9 years ago when many in the UK were still on penny-a-minute dialup people were getting inflated phone bills because it was putting the PC on line without asking so it could report content used. Happened to someone I knew as well as the many reports on the net. At that time I uninstalled it because it stopped my PC defragging.
Ever since it has caused people problems.
Someone asked :" what's at fault ? IE , the ActiveX model or Realplayer ?" Simple - if your app causes a security hole when used with the most common browsing setup then its your fault.
Although Opera is set to delete cookies on exit (and I always delete Private Data anyway), Ad-Aware always shows that Real Player has left a tracking cookie rated as critical.
I've set Real so that it doesn't accept cookies or send back data, but it always seems to ignore my preferences.
I use FF and other media players but they don't work reliably (eg in FF you cannot adjust the player volume on the embedded player page). It just seems easiest to use IE and then, as explicitly recommended on the BBC website (where the player's download link is pointed to), Realplayer free.
@James & Alan above.
The instant RP started putting up adverts, and collecting usage information, and bombing (Atari ST speak for crashing) or breaking some part of Windows, I deinstalled it and have never gone back.
They employ VERY underhanded tactics - just using and configuring RP makes you feel like you're being scammed somehow. RP might as well be classified by Symantec as malware in its own right.
I'm using RealAlternative as a stopgap until the internet is, one day, purged of all Real video and audio content.
I hope Real Corp die a horrible financial death for their crimes to modern computing and business practices.
*Breathes deeply, calms down*
Stu
@Richard Neill: "Incidentally, I'd love to see a "Plug me not" extension for firefox, which does the same as konqueror: all plugins are replaced by a button, and the plugin is only started on request. Eg flash,java,etc are too useful to uninstall, but they should only run when prompted. Flash adverts should never run, even when running a flash plugin to display content on that page."
I believe Adblock does this for Flash, unfortunately I haven't (yet) seen the same thing for Java applets etc.
RealNetworks has issued a patch for this vulnerability that users can download here - http://service.real.com/realplayer/security/191007_player/en/
For more information about these patches and how the new RealPlayer has been improved, please visit the RealPlayer blog at www.realplayer.com/blog.
Matt Spragins
Real Networks
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
