back to article IE + RealPlayer = Security hole

If you have RealPlayer installed and use Internet Explorer to browse the web, beware: an exploit in circulation can allow an attacker to take complete control of your machine, Symantec is warning. Attacks targeting the most recent version of RealNetworks' music and video player were first observed Thursday night. They exploit …

COMMENTS

This topic is closed for new posts.
  1. Chris
    Stop

    The best advice of all...

    You forgot the best advice of all.. Don't f'ing use that piece of crap known as Realplayer. Realplayer hasn't been decent for the better part of a decade. If you really must view .rm files (and I personally just do without if I can't find alternate encodings), for the love of all that is holy in IT.. use Media Player Classic or what not.

    .. although, using Firefox is a step in the right direction.

  2. Anonymous Coward
    Coat

    Re: The best advice of all...

    The best piece of advice, surely, is that you should immediately disconnect your cable/adsl/telephone line/paper cups & string/carrier pigeon from your computer at the earliest opportunity?

    That way the evil scourge of the Internet need never be a problem again! And whilst you're at it... you may as well take that odd box that sits under your desk which connects to your keyboard & mouse outside, and then run over it a couple of times with the nearest available tank. It'll guarantee you remain (electronic) virus/trojan free...

    *Ahem*

  3. Anonymous Coward
    Anonymous Coward

    same old same old

    The title should have read "IE + ActiveX = Security hole"

    Realplayer was a good thing when it started, I used it for quite a few projects because of the html linking and authoring aspects. The only other thing available at the time was the WMV generator from MS, and apart from it not having any capabilities other than format conversion, it was from MS, so I steered clear.

    Too many people jump on the "slag Realplayer" meme today, who have never used it or produced with it, just because it's "funny". I was doing online video over 6 years ago, before flash became the ubiquitous method it is today. For the price and the capability, Real was the best option.

    But no, it's easier to have a go at Realplayer for what is essentially the same old MS problem, allowing a public interface to affect private resources. I seem to remember Windows Media player having many similar flaws to this one, and probably still does.

    Essentially, if I had the time over again, I would still pick realplayer over WMP, in the same way as I jumped straight onto Phoenix/Firebird/Firefox. Separate the components, and limit the damage. Remember, realplayer doesn't need to be running for this exploit to work, so what's at fault ? IE , the ActiveX model or Realplayer ?

  4. Raheim Sherbedgia
    Stop

    Unacceptable Use of Terms in Reg Comments

    I hereby decree that the word "meme" will not be used unless referring to physically handicapped mimes, or something else suitably cool.

  5. Albert Stienstra

    Fourth option

    The fourth option is: get rid of Real Player. THis is mostly an ad streamer anyway...

  6. Richard Neill

    Streaming = ugh

    The real solution would be for websites to just offer proper files for direct download and local playback. You can still start playing the file as it downloads, but you then have none of the disadvantages of streams, such as the ability to accidentally lose connection midway through, and then have to re-start at the beginning. Then, just us an external player for the mpeg[1,2,4] file.

    Incidentally, I'd love to see a "Plug me not" extension for firefox, which does the same as konqueror: all plugins are replaced by a button, and the plugin is only started on request. Eg flash,java,etc are too useful to uninstall, but they should only run when prompted. Flash adverts should never run, even when running a flash plugin to display content on that page.

  7. the Accountant
    Gates Horns

    IE?

    Since no sensible person uses IE isn't this all an irrelevance?

  8. Will Godfrey Silver badge
    Unhappy

    IE?

    Unfortunately 'sensible' people are a vanishing minority in today's world so, no, it's not an irrelevance

  9. ray hartman

    user of ( M$ + IE + REAL ) =

    Fool. Now what's your question ??

  10. Tibb the Cat

    FDC7A535-4070-4B92-A0EA-D9994BCC0DC5

    so how does one "set a killbit in FDC7A535-4070-4B92-A0EA-D9994BCC0DC5"

  11. James Condron

    Readership

    Look at all these cool people declaring that they've not used real player since 1859, and that they all use FF because it is 'teh 1337'... how cool are they?

    The fact remains that different browsers offer different benefits, different media playser the same. It is stupid to claim your choice is better than anyone elses. The point people should be making is

    "Telling people to turn on prompting before using ActiveX functions? Who doesn't?"

    Come on puppies... the vast majority of the IT managers reading and posting here use FF because their kids suggested it anyway. It doesn't make you any less pathetic, especially since FF is still very buggy. Out of the thousands of available browsers (not including using LWP to make your own) why do you think there are only three or four in contention? Because you all do what you're told, and suffer for it when an exploit is released

  12. Gordon Fecyk
    Thumb Up

    Go Chris! re: "The best advice of all..." (remove RealPlayer)

    Now this is something I advocate! I've had Real Player crash IE6 on websites that don't even have any Real Player content on it.

    And how'd I figure out it was Real? Turned off browser extensions, then turned them back on (Internet Options / Programs / Manage Add-Ons) one by one 'till I found the culprit. Now that's good ol' fashioned troubleshooting.

    I wish I could remember the site that crashed it. It was some travel deals site used by travel agents... at one point an update from Real fixed it until a few days later, then I gave up on the damned thing. No one noticed.

  13. Anonymous Coward
    Anonymous Coward

    Real

    IIrc Real Player was considered to be malware/spyware and while they claimed to have cleaned up their act. I never really considered trusting them on it.

  14. Anonymous Coward
    Anonymous Coward

    You can still see Real media

    Install Media Player Classic and Real Alternative (which includes MPC anyway). Now you can still decode Real media streams, files, etc.

    I install CCCP which includes MPC, and then install Real Alternative Lite, which doesn't include MPC. That way CCCP has pre-configured MPC and it mostly Just Works for just about anything.

  15. FrankR

    Real bad

    Real Player has always been risky - I remember 9 years ago when many in the UK were still on penny-a-minute dialup people were getting inflated phone bills because it was putting the PC on line without asking so it could report content used. Happened to someone I knew as well as the many reports on the net. At that time I uninstalled it because it stopped my PC defragging.

    Ever since it has caused people problems.

    Someone asked :" what's at fault ? IE , the ActiveX model or Realplayer ?" Simple - if your app causes a security hole when used with the most common browsing setup then its your fault.

  16. James Cleveland
    Heart

    If you have RealPlayer installed and use Internet Explorer to browse the web

    Just buy a damn gun and get it over with, the world doesn't need you.

  17. Gerry
    Alert

    Real Player ignores Preferences

    Although Opera is set to delete cookies on exit (and I always delete Private Data anyway), Ad-Aware always shows that Real Player has left a tracking cookie rated as critical.

    I've set Real so that it doesn't accept cookies or send back data, but it always seems to ignore my preferences.

  18. Walter Brown
    Dead Vulture

    Whats Real Player?

    /sarcasm off

  19. Mr R. Percival

    IE + RealPlayer = Security hole

    ,', RealPlayer = 0

  20. A. Lewis
    Paris Hilton

    By now it is not an original sentiment.

    But I've got to agree, reading that article (in fact, even the headline) I thought "well if you've got realplayer installed and are using IE, there's not much hope anyway".

  21. Nigel R

    Any other way to listen to BBC?

    I use FF and other media players but they don't work reliably (eg in FF you cannot adjust the player volume on the embedded player page). It just seems easiest to use IE and then, as explicitly recommended on the BBC website (where the player's download link is pointed to), Realplayer free.

  22. Stu
    Flame

    RealPlayer + MS Windows = Security hole

    @James & Alan above.

    The instant RP started putting up adverts, and collecting usage information, and bombing (Atari ST speak for crashing) or breaking some part of Windows, I deinstalled it and have never gone back.

    They employ VERY underhanded tactics - just using and configuring RP makes you feel like you're being scammed somehow. RP might as well be classified by Symantec as malware in its own right.

    I'm using RealAlternative as a stopgap until the internet is, one day, purged of all Real video and audio content.

    I hope Real Corp die a horrible financial death for their crimes to modern computing and business practices.

    *Breathes deeply, calms down*

    Stu

  23. Phill Sacre

    Plug-me-not

    @Richard Neill: "Incidentally, I'd love to see a "Plug me not" extension for firefox, which does the same as konqueror: all plugins are replaced by a button, and the plugin is only started on request. Eg flash,java,etc are too useful to uninstall, but they should only run when prompted. Flash adverts should never run, even when running a flash plugin to display content on that page."

    I believe Adblock does this for Flash, unfortunately I haven't (yet) seen the same thing for Java applets etc.

  24. Joe Stalin
    Happy

    If it Wasn't for Real

    Ok Real Player gets on my pecs by the way is steal file assocication if you so much as look at it. But it was Real that complained to the EU about WMP bundling, and got MS landed with a nice little fine, so they did something right, right?

  25. JB

    @Nigel R

    I have Real Alternative and Media Player Classic installed. When installing, it gives you the option to integrate with Firefox, and when you open the RadioPlayer window, there is an option to 'Open in standalone player' which pops up Media Player Classic. Works just fine for me.

  26. Andy Bright
    Alert

    Trying think of why you'd install RP in the first place..

    Nope, can't think of a single reason.. and even if you couldn't play another real media file (a highly unlikely scenario), I still can't think of an actual disadvantage to not having it.

  27. Matt Spragins

    Security Update from Real

    RealNetworks has issued a patch for this vulnerability that users can download here - http://service.real.com/realplayer/security/191007_player/en/

    For more information about these patches and how the new RealPlayer has been improved, please visit the RealPlayer blog at www.realplayer.com/blog.

    Matt Spragins

    Real Networks

This topic is closed for new posts.

Other stories you might like