Network News

X My Profile
View More Activity

RealPlayer Patches Critical Flaws

RealNetworks Inc. has issued patches to fix at least two serious security holes in a number of its RealVideo and RealOne media players. These flaws are especially interesting because they are present in versions of the company's software designed for each major operating system platform, including Windows, Mac and Linux.

According to RealNetworks, the flaws could be used by attackers to install spyware on your machine or to take complete control over it. If you have any version of RealPlayer installed on your machine, you should update to the newest version.

To find out whether you need to update, you first need to figure out which version of Real you are running. To check, fire up RealPlayer and go to the Help Menu, then select "About RealPlayer." Then refer to this link to see if your version is affected.

Unless you see a "no" next to your version number, it's time to upgrade. Lower on the same page are operating-system-specific instructions for updating to the latest, patched version of the software.

Update, 10:25 a.m. ET: It appears that in some cases, users who want to update to the latest version of Real (the one without all the security flaws) must "upgrade," which usually means they must pay for the patches. I've said this before, and I'll say it again -- at the risk of inciting a flame war: requiring people to pay for security patches may be a useful idea from a business perspective, but it's a horrible one from a security standpoint. Companies like Real always claim that there are significant updates to functionality, usability, etc., in addition to security fixes in their "upgrades." Well, super, but I say isssue the security updates separately, not as an enticement to wring money out of your user base, many of whom have already paid for the software once.

For the record, I haven't had any Real products installed on any of my computers for the past three years; during that time I've used and paid for (once) Winamp Pro, which has issued plenty of security updates but never required me to "upgrade" for any of them.

By Brian Krebs  |  November 11, 2005; 9:29 AM ET
Categories:  New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: FTC Says It Has Shut Down Spyware Ring
Next: DHS Official Weighs In on Sony


Hi Brian - I also have boycotted Real products on my machines for the last three years, after RealPlayer let a virus in that devastated one of my systems. When I first started reading your post I was ready to try again, since I have missed out on some content here and there that was only available in Real format. But when I got to the part about having to pay for security updates, I renewed my pledge to keep Real out of my life. If a company can't provide security free of (extra) charge, they don't deserve my business in the first place. Keep fighting the good fight!

Posted by: Matt | November 11, 2005 11:22 AM | Report abuse

Real player just sucks. Why can't they make software that just plays media and doesn't take over your computer and write keys in your registry so that the program starts when your computer boots?

Posted by: Real Player | November 11, 2005 1:14 PM | Report abuse

I have the free version of RealPlayer installed under sufferance because my favourite content provider uses it. If it weren't for that I would uninstall it and be a lot happier without the constant high-pressure sell that comes with it (trouble is, the pay version is just as intrusive, trying to sell high-value content and spamming you with "news" and "important messages"). I don't get any of that with WinAmp ...

Posted by: Tesserat | November 11, 2005 1:29 PM | Report abuse

Linux users don't have to pay for RealPlayer updates. They are available free from the HelixPlayer (an open version of RealPlayer) website:

The newest version, 10.0.6, is supposed to be free of bugs. However, it was released on Sept. 15, so I don't know that I'd be sure about that.

Posted by: Mike | November 11, 2005 1:35 PM | Report abuse

I just now downloaded and installed the RealPlayer 10.5 upgrade and it didn't ask for any money. I got to it by selecting Tools > Check for Update on the menu bar. At the end it said it needed to connect to the Internet to complete registration and setup. I don't know why it said that since my computer was already connected to the Internet. At that point I selected Cancel, so I guess it never finished "registration and setup," but when I load my RealPlayer now it says I have version 10.5, so I guess it upgraded.

Posted by: Fay | November 11, 2005 2:08 PM | Report abuse

The BBC has a spyware free version of RealPlayer available here:

But unfortunately, that version is 10 and thus is vulnerable. I don't know if upgrading via the help menu gets you a spyware free 10.5, but I highly doubt it.

I just downloaded the three available patches rather than updating, but that may be leaving me at risk.

Posted by: Jimbo | November 11, 2005 3:44 PM | Report abuse

Followed Fay's suggestion, selected Check for Updates on the Tools menu of my 10.0 version. Selected only the security upgrade:no problem, no charge. Only use it for BBC radio and NPR anyway so am probably at low risk for malware, but try to keep the barn door closed.

Posted by: Grandma Linn | November 11, 2005 5:51 PM | Report abuse

FYI, Real Player will install for free, as will the security patches. With a bit of patience, all the ads, messages, and autostart features can be shut off. It really is not that surprising that free software defaults to a sales pitch. Commercials pay for free stuff, like much of television programming. If you want to skip it, you get a DVR.

Posted by: Kevin | November 11, 2005 9:15 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company