 |  |  |  |  |  |  |  |
RealPlayer users held to ransom
It has been a couple of months now since a Russian security researcher, Evgeny Legerov, confirmed that the widely deployed media software RealPlayer was vulnerable to a zero-day exploit. The Russian company, Gleg, is in the business of selling information on such exploits and security flaws. Unfortunately, according RealNetworks's Vice President Jeff Chasen, Gleg has been unwilling or unable to provide the necessary data to allow the alleged gaping security hole to be patched despite repeated requests from both RealNetworks and CERT. Gleg has, on the other hand, posted a video showing the heap overflow/code execution exploit in action.
According to Chris Wysopal, CTO for application secure code testing company, Veracode, it was only ever a matter of when rather than if the zero day exploit commercial market would find a vulnerability in widely deployed software such as this. "We don't know when this unpatched RealPlayer vulnerability was introduced into the code" Wysopal says "It has probably been latent for many months. Real's customers were vulnerable as soon as they downloaded this version of RealPlayer. There is currently knowledge circulating in criminal circles and attackers are using it to compromise Real's customers."
The fact that Gleg apparently knew how to reproduce this problem at least a month beforehand, but did not inform the vendor, is quite frankly appalling. Indeed, there appears to be a legitimate concern over what benefit the customers of Gleg, who were informed about the problem, would get by having such client side exploit information before the vendor can patch it.
Legerov has responded to criticism by arguing that the exclusivity is required so that his customers can better understand the level of risk that they face. Again, this beggars belief. What do they need to understand other than the client software is broken and needs to be fixed ASAP, unless there were some ulterior motive. As Wysopal says "I know that users with RealPlayer 11 installed will undoubtedly stumble across a malicious music file and their system will have a bot installed running with their logged in privilege level. I'm not sure what additional value I would get as a Gleg customer." Unless, of course, you were RealNetworks in which case you might be able to run the exploit in lab conditions and patch that vulnerability. But then isn't that tantamount to blackmail?
Wysopal argues with plenty of merit that a cooperative solution is a much safer way for customers to understand the risks of the code they run, promoting good security hygiene on the vendor side. "We have found that once vendors know that their big customers are using an independent review service they are more likely to proactively start doing security testing within their SDLC" he continues "A vendor can't bluff their way out of a comprehensive code assessment like they can from just a single (or a few) vulnerabilities publicly reported. If their code is full of vulnerabilities their customers will know."
According to Chris Wysopal, CTO for application secure code testing company, Veracode, it was only ever a matter of when rather than if the zero day exploit commercial market would find a vulnerability in widely deployed software such as this. "We don't know when this unpatched RealPlayer vulnerability was introduced into the code" Wysopal says "It has probably been latent for many months. Real's customers were vulnerable as soon as they downloaded this version of RealPlayer. There is currently knowledge circulating in criminal circles and attackers are using it to compromise Real's customers."
The fact that Gleg apparently knew how to reproduce this problem at least a month beforehand, but did not inform the vendor, is quite frankly appalling. Indeed, there appears to be a legitimate concern over what benefit the customers of Gleg, who were informed about the problem, would get by having such client side exploit information before the vendor can patch it.
Legerov has responded to criticism by arguing that the exclusivity is required so that his customers can better understand the level of risk that they face. Again, this beggars belief. What do they need to understand other than the client software is broken and needs to be fixed ASAP, unless there were some ulterior motive. As Wysopal says "I know that users with RealPlayer 11 installed will undoubtedly stumble across a malicious music file and their system will have a bot installed running with their logged in privilege level. I'm not sure what additional value I would get as a Gleg customer." Unless, of course, you were RealNetworks in which case you might be able to run the exploit in lab conditions and patch that vulnerability. But then isn't that tantamount to blackmail?
Wysopal argues with plenty of merit that a cooperative solution is a much safer way for customers to understand the risks of the code they run, promoting good security hygiene on the vendor side. "We have found that once vendors know that their big customers are using an independent review service they are more likely to proactively start doing security testing within their SDLC" he continues "A vendor can't bluff their way out of a comprehensive code assessment like they can from just a single (or a few) vulnerabilities publicly reported. If their code is full of vulnerabilities their customers will know."
0
•
•
•
•
"The Russian company, Gleg, is in the business of selling information on such exploits and security flaws. "
I guess they got an offer from some criminals that was higher than the offer (probably an offer of nothing at all) they got from RealNetworks...
Economics, Soviet style. Don't care about social responsibility, only about stuffing your own pockets, compared with economics, softy style, appeal to peoples' social responsibility in an attempt to get them to part with their goods for free.
I guess they got an offer from some criminals that was higher than the offer (probably an offer of nothing at all) they got from RealNetworks...
Economics, Soviet style. Don't care about social responsibility, only about stuffing your own pockets, compared with economics, softy style, appeal to peoples' social responsibility in an attempt to get them to part with their goods for free.
0
•
•
•
•
""Indeed, there appears to be a legitimate concern over what benefit the customers of Gleg, who were informed about the problem, would get by having such client side exploit information before the vendor can patch it.""
Easy - these customers know to use another media player. If developers really leave it to third parties ( public third parties! ) to find severe security holes : I wouldn't feel happy using their software even if they did 'get enough information' to fix the hole. If Real don't have ( can't see ) the information they need within their own codebase, using their own staff/contractors, thats something of a problem in itself.
Easy - these customers know to use another media player. If developers really leave it to third parties ( public third parties! ) to find severe security holes : I wouldn't feel happy using their software even if they did 'get enough information' to fix the hole. If Real don't have ( can't see ) the information they need within their own codebase, using their own staff/contractors, thats something of a problem in itself.
0
•
•
•
•
Good article and commentary about RealPlayer. But I prefer WinAmp because I find it more user friendly and advanced than RealPlayer.
http://www.1-satellite-tv-facts.com
http://www.1-satellite-tv-facts.com/Direct-TV.html
http://www.1-satellite-tv-facts.com/Dish-Network.html
http://www.1-satellite-tv-facts.com/...ite-Radio.html
http://www.1-satellite-tv-facts.com/...t-Service.html
http://www.1-satellite-tv-facts.com/Satellite-DSL.html
http://www.1-satellite-tv-facts.com/...-Internet.html
http://www.1-satellite-tv-facts.com/VoIP.html
http://www.1-satellite-tv-facts.com/Phone-Systems.html
http://www.1-satellite-tv-facts.com/...-Programs.html
http://www.1-satellite-tv-facts.com
http://www.1-satellite-tv-facts.com/Direct-TV.html
http://www.1-satellite-tv-facts.com/Dish-Network.html
http://www.1-satellite-tv-facts.com/...ite-Radio.html
http://www.1-satellite-tv-facts.com/...t-Service.html
http://www.1-satellite-tv-facts.com/Satellite-DSL.html
http://www.1-satellite-tv-facts.com/...-Internet.html
http://www.1-satellite-tv-facts.com/VoIP.html
http://www.1-satellite-tv-facts.com/Phone-Systems.html
http://www.1-satellite-tv-facts.com/...-Programs.html
Similar Threads
- Fedora ssh, information held? (Getting Started and Choosing a Distro)
- RealPLayer Problem! (Windows NT / 2000 / XP)
- SP2 files held? (Windows NT / 2000 / XP)
- News Story: RealPlayer 11 zero-day exploit demo posted online (Network Security)
- Held hostage by RUNDLL32.EXE (Viruses, Spyware and other Nasties)
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Network Security Posts
- Today's Posts
- Unanswered Threads
advertising age amd apple avatar bluegene botnet browser business cellphone censorship china chips copyright crime data database development dos downloads economy email encryption energy enterprise europe facebook firefox free gadget games gaming google government hacker hacking hardware ibm ibm.news intel intelibm internet iphone ipod itunes law legal linux mac malware marketing medicine memory microsoft mobile mozilla music news office openoffice opensource os pc phishing piracy porn privacy ps3 recession redhat report research russia search security sex socialnetworking software spam sun supercomputer supercomputing survey technology trends trojan twitter ubuntu uk video virus vista web windows windows7 working x86 xbox yahoo youtube