RealPlayer flaws open PCs up to hijackers

[Susan Bugher]

Someone was just asking about downloading RealPlayer - today's news may
be of interest:

http://zdnet.com.com/2100-1105_2-5154193.html

<q>
RealNetworks acknowledged on Wednesday that three flaws affecting
different versions of its media player could allow attackers to create
corrupt music or video files that, when played, take control of a
victim's PC.
</q>

Susan

 

[Richard Steinfeld]

| Someone was just asking about downloading RealPlayer - today's
news may
| be of interest:
|
| http://zdnet.com.com/2100-1105_2-5154193.html
|
| <q>
| RealNetworks acknowledged on Wednesday that three flaws
affecting
| different versions of its media player could allow attackers to
create
| corrupt music or video files that, when played, take control of
a
| victim's PC.
| </q>
|

I'm rolling on the floor in disbelief. You mean that Real
Networks is accusing hackers of causing their own software to
behave like itself?

Ho Ho Ho.

Richard

 

[DC]

Susan Bugher wrote in <[email protected]>:

[...]

corrupt music or video files that, when played, take control of a
victim's PC.
</q>

Yeah, but only if you play the files backwards. }:OD


<q>
"By forcing a browser to a Web site containing such a file, code could
be executed on the target machine running in the context of the
logged-on user," stated an advisory posted by NGSSoftware.
</q>

Oh no! I'm a logged on user!

And they aren't supplying a patch for the linux version?!

<yawn>

};O)

Seriously, Susan, thanks for the heads-up. Time to run over to Mom's
and patch her computer (again). I should prolly do that IE one too.
The old bat will click on anything.

*sigh* A guy's got to protect his inheritance... <G>

 

[Susan Bugher]

| Someone was just asking about downloading RealPlayer - today's
news may
| be of interest:
|
| http://zdnet.com.com/2100-1105_2-5154193.html
|
| <q>
| RealNetworks acknowledged on Wednesday that three flaws
affecting
| different versions of its media player could allow attackers to
create
| corrupt music or video files that, when played, take control of
a
| victim's PC.
| </q>
|

I'm rolling on the floor in disbelief. You mean that Real
Networks is accusing hackers of causing their own software to
behave like itself?

Ho Ho Ho.

Richard

Good point. <vbg>

Susan

 

[Susan Bugher]

Seriously, Susan, thanks for the heads-up. Time to run over to Mom's
and patch her computer (again). I should prolly do that IE one too.
The old bat will click on anything.

*sigh* A guy's got to protect his inheritance... <G>

I gotta remember that line and use it on the children and grandchildren.

*sigh* I wouldn't bother you with this but it's to protect your
inheritance . . .

not that the young squirts will pay any attention . . .

Susan

 

[Just mee]

The "patch" seems to be a complete redownload of realplayer v2, and
reinstall.. If you have broadband where you are, and your mother does
not, you may want to consider downloading it in advance, and burning
it to CD, as it is 8.26MB...

JM

 

[Jordan]

I'm rolling on the floor in disbelief. You mean that Real
Networks is accusing hackers of causing their own software to
behave like itself?

Yeah, and here's the fix for the version I have -

Localized RealPlayer 8 (version 6.0.9.584):

- Go to the Help menu.
- Select "Check for Update".
- Select the box next to the "RealOne Player" component.
- Click the Install button to download and install the update.

Install RealOne? No way! It's intrusive, dominating, phones home a lot, can
be hard to uninstall and is generally an obnoxious piece of software.

 

[Rhexis]

Install RealOne? No way! It's intrusive, dominating, phones home a lot, can
be hard to uninstall and is generally an obnoxious piece of software.

RealPlayer 10 beta really isn't that bad all things considered.
(I can't believe typing this).

 

[DC]

DC wrote:

I gotta remember that line and use it on the children and grandchildren.

*sigh* I wouldn't bother you with this but it's to protect your
inheritance . . .

not that the young squirts will pay any attention . . .

That would sure get mine. }:O)

 

[DC]

Just mee wrote in <[email protected]>:

[top post fixed]

On 6 Feb 2004 06:15:23 GMT, DC <[email protected]> wrote:

The "patch" seems to be a complete redownload of realplayer v2, and
reinstall.. If you have broadband where you are, and your mother does
not, you may want to consider downloading it in advance, and burning
it to CD, as it is 8.26MB...

Thank you for that. She _is_ on dialup.

 

[Rob]

Yeah, and here's the fix for the version I have -

Localized RealPlayer 8 (version 6.0.9.584):

- Go to the Help menu.
- Select "Check for Update".
- Select the box next to the "RealOne Player" component.
- Click the Install button to download and install the update.

Install RealOne? No way! It's intrusive, dominating, phones home a
lot, can be hard to uninstall and is generally an obnoxious piece of
software.

Well I guess I am out of luck! I am using an old PII computer. RealPlayer
10 will not run on the older computers. Yet, RealPlayer 8 keeps bugging me
to upgrade to the latest player! Talk about poorly written software!

So if you are using an older computer, it looks like you have two choices.
Keep using RealPlayer 8 with its security flaws or delete it off the
computer. Guess what I am going to do ;(

Rob

 

[J44xm]

["Susan Bugher"; Fri, 06 Feb 2004 02:16:05 GMT]

[Quote:] "RealNetworks acknowledged on Wednesday that three flaws
affecting different versions of its media player could allow attackers
to create corrupt music or video files that, when played, take control
of a victim's PC."

On another note, is it possible to view RM files without having RM
installed?

 

[Burp]

Susan Bugher wrote in <[email protected]>:

[...]

corrupt music or video files that, when played, take control of a
victim's PC.
</q>

Yeah, but only if you play the files backwards. }:OD


<q>
"By forcing a browser to a Web site containing such a file, code could
be executed on the target machine running in the context of the
logged-on user," stated an advisory posted by NGSSoftware.
</q>

Oh no! I'm a logged on user!

And they aren't supplying a patch for the linux version?!

<yawn>

};O)

Seriously, Susan, thanks for the heads-up. Time to run over to Mom's
and patch her computer (again). I should prolly do that IE one too.
The old bat will click on anything.

*sigh* A guy's got to protect his inheritance... <G>

Hee hee.... thanks for the giggle!!!!!!! : )

 

[Richard Steinfeld]

Rhexis wrote:
| message |
|| Install RealOne? No way! It's intrusive, dominating, phones
|| home a lot, can be hard to uninstall and is generally an
|| obnoxious piece of software.
|
| RealPlayer 10 beta really isn't that bad all things considered.
| (I can't believe typing this).

Rhexis, did you track the installation? I did. It performed more
than 5,000 changes to my system. What sort of trustable software
does this?

Also, have you ever attempted to completely uninstall this?

Please do. Let us know what you had to go through to do it, and
how it turned out.

Richard

 

[Rhexis]

Rhexis, did you track the installation? I did. It performed more
than 5,000 changes to my system.

No, I rarely track installations. What kind of changes are we talking
about here? 5000 sounds like a lot, but depending what constitutes
a 'change', this might not be that big an issue.

I don't have anything to compare it to either.

Also, have you ever attempted to completely uninstall this?

No, not yet. You sound like you've tried it though. Are you worried about
leftovers in the registry or what?

 

[Richard Steinfeld]

| No, I rarely track installations. What kind of changes are we
talking
| about here? 5000 sounds like a lot, but depending what
constitutes
| a 'change', this might not be that big an issue.
|
| I don't have anything to compare it to either.
|
| > Also, have you ever attempted to completely uninstall this?
|
| No, not yet. You sound like you've tried it though. Are you
worried about
| leftovers in the registry or what?
|

My experience is that RP is extremely invasive of the OS; it
sinks tentacles very deep so that there are compounded
dependencies. Please see my posts earlier in this NG for some
more detail. Removal the first time took four passes using two
uninstallers, plus individual editing of lines in the registry.

Also, I suggest that you go to Real's site and read the terms of
use/privacy statement. Then ask yourself if this is software that
you want to have on your computer. After reading those gems,
please report back here with a synopsis of what you read and what
you've decided to do.

Richard

 

[Rhexis]

My experience is that RP is extremely invasive of the OS; it
sinks tentacles very deep so that there are compounded
dependencies. Please see my posts earlier in this NG for some
more detail. Removal the first time took four passes using two
uninstallers, plus individual editing of lines in the registry.

Got any msgids I could take a look at?

Also, I suggest that you go to Real's site and read the terms of
use/privacy statement.

I did and it read like 98% of all software EULAs. Your headers say
you're an OE user. Isn't that double standards since MS use EULAs
that are just as instrusive if not more?

Then ask yourself if this is software that you want to have
on your computer.

I have it installed at the moment. I might uninstall it later though
since I don't use it. I simply don't like the codec and I don't like
the player.

This, as I said, isn't caused by me not liking the EULA as I think it's
par for the course as far as invasive software licenses go.

 

[Richard Steinfeld]

Rhexis wrote:
|
| I did and it read like 98% of all software EULAs. Your headers
| say you're an OE user. Isn't that double standards since MS
| use EULAs
| that are just as instrusive if not more?
|

Dunno. It's been a while since I read my MS EULAs. I felt that
Real's was worse when I read it. The statement was basically, "We
will do this to you, we will do that to you, and you will like
it!"


|| Then ask yourself if this is software that you want to have
|| on your computer.
|
| I have it installed at the moment. I might uninstall it later
| though since I don't use it. I simply don't like the codec and
| I don't like the player.
|
| This, as I said, isn't caused by me not liking the EULA as I
| think it's par for the course as far as invasive software
| licenses go.

Perhaps I should read some more invasive ones. As far as the
codecs go, I'd dump them off my box except that the program
content that I like to listen to is almost all exclusively Real.
I've been recently using Real Alternative/Media Player Classic.
I'm certain that the Real Alternative file set is, in fact, just
Real in a different bottle, and definitely a product of Real
Networks. I've also been using jetAudio, which I never let phone
home. As Bogus has detailed, it's all sypware. I find Real is
tolerable for speech; rediculous for music.

Richard

 

[Rhexis]

"Richard Steinfeld" (e-mail address removed)
wrote in message

I'm certain that the Real Alternative file set is, in fact, just
Real in a different bottle, and definitely a product of Real
Networks.

I've never claimed that the files aren't made by Real, because that's
pretty obvious. I'm just saying that this is a non-sanctioned, unofficial
/repack/ of their copyrighted files. That's not allowed.

I find Real is tolerable for speech; rediculous for music.

Yeah, it pretty much sucks across the board.