Please support our Tech Talk advertiser:
Feb 9th, 2008, 7:36 pm
It has been a couple of months now since a Russian security researcher, Evgeny Legerov, confirmed that the widely deployed media software RealPlayer was vulnerable to a zero-day exploit. The Russian company, Gleg, is in the business of selling information on such exploits and security flaws. Unfortunately, according RealNetworks's Vice President Jeff Chasen, Gleg has been unwilling or unable to provide the necessary data to allow the alleged gaping security hole to be patched despite repeated requests from both RealNetworks and CERT. Gleg has, on the other hand, posted a video showing the heap overflow/code execution exploit in action.
According to Chris Wysopal, CTO for application secure code testing company, Veracode, it was only ever a matter of when rather than if the zero day exploit commercial market would find a vulnerability in widely deployed software such as this. "We don't know when this unpatched RealPlayer vulnerability was introduced into the code" Wysopal says "It has probably been latent for many months. Real's customers were vulnerable as soon as they downloaded this version of RealPlayer. There is currently knowledge circulating in criminal circles and attackers are using it to compromise Real's customers."
The fact that Gleg apparently knew how to reproduce this problem at least a month beforehand, but did not inform the vendor, is quite frankly appalling. Indeed, there appears to be a legitimate concern over what benefit the customers of Gleg, who were informed about the problem, would get by having such client side exploit information before the vendor can patch it.
Legerov has responded to criticism by arguing that the exclusivity is required so that his customers can better understand the level of risk that they face. Again, this beggars belief. What do they need to understand other than the client software is broken and needs to be fixed ASAP, unless there were some ulterior motive. As Wysopal says "I know that users with RealPlayer 11 installed will undoubtedly stumble across a malicious music file and their system will have a bot installed running with their logged in privilege level. I'm not sure what additional value I would get as a Gleg customer." Unless, of course, you were RealNetworks in which case you might be able to run the exploit in lab conditions and patch that vulnerability. But then isn't that tantamount to blackmail?
Wysopal argues with plenty of merit that a cooperative solution is a much safer way for customers to understand the risks of the code they run, promoting good security hygiene on the vendor side. "We have found that once vendors know that their big customers are using an independent review service they are more likely to proactively start doing security testing within their SDLC" he continues "A vendor can't bluff their way out of a comprehensive code assessment like they can from just a single (or a few) vulnerabilities publicly reported. If their code is full of vulnerabilities their customers will know."
According to Chris Wysopal, CTO for application secure code testing company, Veracode, it was only ever a matter of when rather than if the zero day exploit commercial market would find a vulnerability in widely deployed software such as this. "We don't know when this unpatched RealPlayer vulnerability was introduced into the code" Wysopal says "It has probably been latent for many months. Real's customers were vulnerable as soon as they downloaded this version of RealPlayer. There is currently knowledge circulating in criminal circles and attackers are using it to compromise Real's customers."
The fact that Gleg apparently knew how to reproduce this problem at least a month beforehand, but did not inform the vendor, is quite frankly appalling. Indeed, there appears to be a legitimate concern over what benefit the customers of Gleg, who were informed about the problem, would get by having such client side exploit information before the vendor can patch it.
Legerov has responded to criticism by arguing that the exclusivity is required so that his customers can better understand the level of risk that they face. Again, this beggars belief. What do they need to understand other than the client software is broken and needs to be fixed ASAP, unless there were some ulterior motive. As Wysopal says "I know that users with RealPlayer 11 installed will undoubtedly stumble across a malicious music file and their system will have a bot installed running with their logged in privilege level. I'm not sure what additional value I would get as a Gleg customer." Unless, of course, you were RealNetworks in which case you might be able to run the exploit in lab conditions and patch that vulnerability. But then isn't that tantamount to blackmail?
Wysopal argues with plenty of merit that a cooperative solution is a much safer way for customers to understand the risks of the code they run, promoting good security hygiene on the vendor side. "We have found that once vendors know that their big customers are using an independent review service they are more likely to proactively start doing security testing within their SDLC" he continues "A vendor can't bluff their way out of a comprehensive code assessment like they can from just a single (or a few) vulnerabilities publicly reported. If their code is full of vulnerabilities their customers will know."
This blog entry was written by Davey Winder, staff writer aka happygeek. It has received 7,761 views, 4 comments, and 77 linkbacks. 1 voter has rated this entry 5 out of 5 stars. It was promoted to featured status Feb 9th, 2008.
•
•
•
•
advertising apple botnet browser business crime data development email environment europe facebook firefox forensic gaming google hacking hardware help ibm internet iphone ipod law legal linux malware marketing microsoft mobile mozilla news office privacy research search security social networking software spam survey technology trojan uk virus vista web windows yahoo youtube
All Recent Tags Comments (Newest First)
docsharp01 | Newbie Poster | 24 Days Ago
•
•
•
•
Good article and commentary about RealPlayer. But I prefer WinAmp because I find it more user friendly and advanced than RealPlayer.
http://www.1-satellite-tv-facts.com
http://www.1-satellite-tv-facts.com/Direct-TV.html
http://www.1-satellite-tv-facts.com/Dish-Network.html
http://www.1-satellite-tv-facts.com/...ite-Radio.html
http://www.1-satellite-tv-facts.com/...t-Service.html
http://www.1-satellite-tv-facts.com/Satellite-DSL.html
http://www.1-satellite-tv-facts.com/...-Internet.html
http://www.1-satellite-tv-facts.com/VoIP.html
http://www.1-satellite-tv-facts.com/Phone-Systems.html
http://www.1-satellite-tv-facts.com/...-Programs.html
http://www.1-satellite-tv-facts.com
http://www.1-satellite-tv-facts.com/Direct-TV.html
http://www.1-satellite-tv-facts.com/Dish-Network.html
http://www.1-satellite-tv-facts.com/...ite-Radio.html
http://www.1-satellite-tv-facts.com/...t-Service.html
http://www.1-satellite-tv-facts.com/Satellite-DSL.html
http://www.1-satellite-tv-facts.com/...-Internet.html
http://www.1-satellite-tv-facts.com/VoIP.html
http://www.1-satellite-tv-facts.com/Phone-Systems.html
http://www.1-satellite-tv-facts.com/...-Programs.html
MattEvans | Posting Shark | Feb 12th, 2008
•
•
•
•
""Indeed, there appears to be a legitimate concern over what benefit the customers of Gleg, who were informed about the problem, would get by having such client side exploit information before the vendor can patch it.""
Easy - these customers know to use another media player. If developers really leave it to third parties ( public third parties! ) to find severe security holes : I wouldn't feel happy using their software even if they did 'get enough information' to fix the hole. If Real don't have ( can't see ) the information they need within their own codebase, using their own staff/contractors, thats something of a problem in itself.
Easy - these customers know to use another media player. If developers really leave it to third parties ( public third parties! ) to find severe security holes : I wouldn't feel happy using their software even if they did 'get enough information' to fix the hole. If Real don't have ( can't see ) the information they need within their own codebase, using their own staff/contractors, thats something of a problem in itself.
ShawnCplus | Code Monkey | Feb 11th, 2008
•
•
•
•
Congrats for making slashdot!
jwenting | duckman | Feb 10th, 2008
•
•
•
•
"The Russian company, Gleg, is in the business of selling information on such exploits and security flaws. "
I guess they got an offer from some criminals that was higher than the offer (probably an offer of nothing at all) they got from RealNetworks...
Economics, Soviet style. Don't care about social responsibility, only about stuffing your own pockets, compared with economics, softy style, appeal to peoples' social responsibility in an attempt to get them to part with their goods for free.
I guess they got an offer from some criminals that was higher than the offer (probably an offer of nothing at all) they got from RealNetworks...
Economics, Soviet style. Don't care about social responsibility, only about stuffing your own pockets, compared with economics, softy style, appeal to peoples' social responsibility in an attempt to get them to part with their goods for free.
Post Comment
•
•
•
•
Only community members can start a blog or comment on blog entries. You must register or log in to contribute.
•
•
•
•
•
•
•
•
DaniWeb Tech Talk Marketplace
Related Blog Entries
- Guild Wars 2: In-House FAQ (14 Hours Ago)
- UK ISPs agree to throttle illegal music file-sharers (19 Hours Ago)
- Intel To Focus on Devices, Again (1 Day Ago)
- WikiGoogle or GooglePedia? Nope, it is Knol actually. (1 Day Ago)
- 5-4-3-2-1 your website in infected (2 Days Ago)
- Botnets boost click-fraud rate (2 Days Ago)
- Apple ships 2.5 million Macs, sells 11 million iPods and 717,000 iPhones in just 3 months (3 Days Ago)
- Limbo 2 Trojan comes complete with guarantee of invisibility (3 Days Ago)
- More Dark Spots on Apple's MobileMe Migration (4 Days Ago)
- Power-Sipping PC Runs Linux (4 Days Ago)
Featured Entry