Network News

X My Profile
View More Activity

RealPlayer Patch Plugs In-the-Wild Security Exploit

RealNetworks, the maker of the RealPlayer and RealOne media player software, has issued a security update to fix a flaw that hackers are actively exploiting to break into vulnerable computers.

The stand-alone patch, available here, remedies a flaw in RealPlayer 10.5 and RealPlayer 11 beta. RealNetworks says people using RealOne Player, RealOne Player version 2, and RealPlayer 10 should upgrade immediately to RealPlayer 10.5 or RealPlayer 11 beta and install the latest patch.

The security patch remedies a type of software flaw that could be exploited just by convincing Real users to click on a specially crafted Web link. The update comes just three days after Symantec Corp. issued an alert saying it was seeing cyber crooks targeting the software hole to compromise Windows computers.

Macintosh and Linux versions of RealPlayer are not affected by this vulnerability. The company notes that RealPlayer 8 and earlier versions of RealNetworks software for Windows are not at risk from this flaw.

By Brian Krebs  |  October 22, 2007; 4:27 PM ET
Categories:  New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Should E-Mail Addresses Be Considered Private Data?
Next: Adobe Fixes Reader, Acrobat Vulnerabilities

Comments

Bk> RealNetworks says people using RealOne Player, RealOne Player version 2, and RealPlayer 10 should upgrade immediately

IMHO, people using RealAnything should simply uninstall it. Same goes for QuickTime with the caveat that you need it for iTunes, if you are so encumbered. On systems you don't use for YouTube, toss Flash Player out at the same time; YouTube is about the only legitimate thing that requires it. And nuke the Acrobat Plugin. If you need to read PDFs and don't like Foxit, just use the standalone Acrobat Reader; PDFs are almost nothing like web pages, so why encumber your browser with them?

Posted by: antibozo | October 22, 2007 5:12 PM | Report abuse

I concur with uninstalling Real Player. It's one of many software apps that have been on my blacklist for a while (along with Quicktime and Adobe Reader).

The point here is to reduce a system's attack surface by limiting the number of installed software applications. It also reduces patch maintenance as there is less software on the system!

Note: speaking of Adobe Reader, a patch was just released today, see:

http://www.adobe.com/support/security/bulletins/apsb07-18.html

Posted by: TJ | October 22, 2007 6:02 PM | Report abuse

So what do I use if there happens to be a site that uses real file types or those of Quicktime? Any suggestions out there? And won't these be vulnerable to flaws too, that may not be patched in a timely way and even if they are, how do I find out about patches in a timely way without having to constantly check the softwares website?

Posted by: M in CT | October 23, 2007 12:20 PM | Report abuse

See my response in the other topic...

Short answer: a site that provides audio only in Real is not worth using.

Other generic advice:

One thing you can do, if you really find yourself needing this stuff frequently, is to install the various crapware on only one system and make sure the auto-update notification is enabled on that system. Keep an eye on Security Fix and the SANS ISC handlers' diary and you should find out about anything critical in a timely manner:

http://isc.sans.org/diaryarchive.html

Of course, running a non-Windows platform reduces your exposure, for the time being, since nearly all current attacks target Windows. (Not sure what platform you're using.)

If you have to use Windows + Real or Quicktime, make sure you have a current anti-malware product, and Firefox + NoScript is advisable. NoScript may slow you down a bit, but it dramatically reduces your exposure and, as a side benefit, it eliminates a lot of the banner ads and makes many sites load faster.

Posted by: antibozo | October 23, 2007 1:00 PM | Report abuse

RealPlayer developers. Listen here! Can you please build in an automatic update check tool into your product?! How are we supposed to tell 35,000+ people on our network they are going to need to click on something to get the update. Almost every other media player (big players) have this feature built in. Now do what is right and get busy.

Posted by: D Taylor | October 23, 2007 2:39 PM | Report abuse

"The stand-alone patch, available here, remedies a flaw in RealPlayer 10.5"
This link does not allow you to download the patch standalone. Is there any place where this is available?

Posted by: R Bear | November 19, 2007 3:35 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company