A very apt typo in the title
RealPayer :-)
An unpatched bug in RealPlayer leaves the media player open to drive-by-download attacks, which hackers use to trick prospective marks into visiting maliciously constructed websites. The vulnerability stems from coding errors in a RealPlayer ActiveX control (rmoc3260.dll), which enables content to be played within a user's …
How shameful and unprofessional of Elazar Broad to have posted a full disclosure of someone else's bug to anyone other than the vendor, CERT (or his countries version of CERT), and AV companies.
If blackhats knew about already knew about the vulnerability, then it wasn't his discovery.
If blackhats did not know about the vulnerability, then, in my opinion, fully disclosing it amounts to aiding and conspiring to facilitate the illegal entry to other people's computers.
If the facts in the article are accurate, I hope Elazar Broad is forced out of our field. Maybe he could be a personal injury lawyer, but then lawyers would dis-bar a colleague who facilitated an injury on a bystander just to publicize an unsafe condition.
How do you know he hadn't already contacted Real Networks some time ago, and had only now gone public? Sometimes these companies have got their heads so far up their own arses that they don't bother to fix the vulnerability, or have a we'll get around to it... someday" attitude. These are the same dickheads that worship at the shrine of security through obscurity, and in some cases the only way to get them to actually DO anything about it is to go public. Then and only then do the chickens start squawking!
If he did in fact go public without contacting the vendor first, then I agree with you 100%. But you should not cast aspersions on his professionalism without knowing all the facts involved; if he had contacted the vendor first, obviously we wouldn't have known about it.
"How shameful and unprofessional of Elazar Broad to have posted a full disclosure of someone else's bug"
Obviously, you are blissfully ignorant of the fact that RealPlayer (just like Microsoft) is so arrogant about their crapware that the *only* way to get them to patch security vulnerabilities is to publish full details where no one could fail to see them.
If the vuln had not been published, then the only people who would have known about it would be the blackhats, and the devs at RealPlayer. The people who need to know that they should avoid using RealMedia in Internet Explorer would remain ignorant. (In all fairness, they'll probably still remain ignorant because they prefer to be ignorant, but at least they can't complain that no one ever tried to tell them.)
I guess that $800million they got from Microsoft in the anti-trust hearing is being stretched out more than your average dotcom would blow through it.
With flash video, Youtube, itunes, and countless other far superior competitors, i can't see any point of the company at all.
You're quite right, Steve.....
It's only ethical to contact the vendor first - if only to give them the opportunity to refute your research or to prepare a strategy for response.
Once that's done, get it out in the open particularly where, as in this case, there's a workround in place...
I still do from time to time, mainly to play back legacy realmedia files I managed to save from the internet all those years ago, but sometimes to access those legacy media at PBS' website (shows that have all but disappeared off the air locally but somehow still have their legacy realmedia files online dispite numerous page redesigns). Plus, I have fond memories of using realplayer 5 to experience streaming online radio for the first time (ah, the good ol' days of letting RP5 stream Radio Disney while I browse the net using Netscape 4.78, all over a 33.6k dial-up connection. How I wish it would come back).
(And Radio Disney was good back then too, lots of oldies and music that one will never hear on radio stations locally (then again, there were no easy-listening radio stations locally back then). I usually tune in as soon as I get home from school, which equates to roughly 1 - 2 AM in the US, which they had an adult-oriented easy listening block that runs all the way into the 7-8 PM. Nowadays all they play are second-grade teenybopper bubblegum pop 24/7 which no one over their mid-20s and in the right of mind will listen to).
My experience? RealPlayer jumped the shark with the G2 version. It seems that versions after 5 are just slow, bloated and loaded with nagging ads (using my then top-of-the-line Pentium 166MMX, 32MB RAM and 2.5GB box as a measurement).
"People really use it?"
You do if you want to watch/listen to BBC stuff online (Listen Again stuff specifically). Rather than cutting back on a few programs, couldn't the BBC drop them and use something free like Ogg instead, rather than expect every licence fee payer to subsidise Real? Isnt the BBC capable of flexing its arm a little to get contracts with production companies into line? If its critical that online content not be "of broadcast quality", cant you just degrade it as you encode it into Ogg?
Of course, that simply includes the requisite bits of the Real Player necessary for actual playback. The ActiveX control is included, so this security hole affects Real Alternative users as well. I only use Real's codec for the BBC Listen Again feature, and then only through that pesky ActiveX control ...
Cheers,
Sabahattin
Quite a lot of us use the codec because all those flash sites insist on not being back compatible, and so break the browser when trying to use youtube and that other dynamic ad crap. The latter damn flash media insist that my current flash player doesn't support "instant install" which is just fine by me, as I want to know what the hell they are trying to install.
NASA has real media streams available.
... that was when I used it, I used to have my TwistedTunes collection on .ra files, when they still gave away their tunes for free. Oh, and the first radio station in the entire country to do livestream did so with RealAudio too.
Even RealPlayer was good, with a plus on having a Linux version :) ... then they turned their app into bloatware, right up when mp3's were gaining popularity. I'm sure I'm not the only one that remembers < 5Mb stereo audio files in .ra format being popular in the pre-mp3 days :)
Anyway, anything ActiveX is a security risk in itself. Yuk.