DealsOnTheWeb Daily Deal: OneCall's Weekend Sale - 20 Great Items at Great Prices All Weekend Long
Real Fixes Security Holes
by , 7:00 AM EDT, June 27th, 2005
Real Networks has issued fixes for four serious security vulnerabilities in its in its RealPlayer media software. Two of the security holes involve overwriting operating system files to take congtrol of PCs by simply playing a media file.
The most severe of the vulnerabilities appears to be a a flaw in RealText that is part of the RealMedia file format. The hole allows hackers to take over a system, security experts from iDefense warned in a security advisory. The attack method can be used to exploit RealPlayer for OS X, Windows and Linux as well as the Helix Player for Linux.
iDefense said it knows of no software that has been released that could take advantage of any of the four bugs.
Another vulnerability, which affects most RealPlayer software for Windows as well as Rhapsody, uses the Audio Video Interleaved (.avi), Real media and/or MP3 movie file format to overwrite a compromised PC's heap memory, which in turn allows hackers to take control of a system. The "high" level hack reportedly can be triggered by a Web page containing a movie configured to start playing automatically, according to an advisory from eEye, the security consultancy firm.
Users must download either a patch or new versions of software, that can be found on Real's support page.
Observer Comments
Only 1 of the 4 exploits supposedly affects OSX. From Real's website:
"Exploit 2: To fashion a malicious RealMedia file which uses RealText to cause a heap overflow to allow an attacker to execute arbitrary code on a customer's machine."
Correct me if I'm wrong here, but doesn't OSX place the heap in memory in such a way that a heap overflow does not result in code being executed from the heap?
This statement by TMO, "Two of the security holes involve overwriting operating system files to take control of PCs by simply playing a media file."
That means, "PCs" ONLY, right? (Cause how do you overwrite a SYSTEM file on OSX?)
Mon Jun 27, 2005 10:14 am Subject: Re: Get Real
QuoteAnonymous wrote:
Real is a crappy player. I wish QuickTime could play their files
It was Real that tried to play iTunes store music, right?
Apple should make a trade. You can play iTunes music if we can play Real files in Quicktime.
Real would never make that trade becuse it just might kill their company, but hey, Apple should ask anyway.
Mon Jun 27, 2005 10:31 am Subject: How to avoid this possible exploit
QuoteAnonymous wrote:QuoteTiger wrote:
Don't use REAL files.
Ever.
That sounds nice in the make believe world. However, in the real world we sometimes have to play media files that are in the Real format.
Download the updates and move on.
What files do you have to play? NPR? Washingtonpost.com? They use them, but I'm happy to just read my news and move on. It's the same information, and I don't have to subject my computers to anything from the REAL company.
I've yet to find a Real file that contined information I couldn't get somewhere else.
EDIT: I just checked NPR, in fact, having not been there in awhile. They now offer Windows Media files along with their Real files. Just about any site that actually cares will offer their content in at least 2 formats these days.
Mon Jun 27, 2005 11:31 am Subject: Reality Bytes
QuoteGuest wrote:QuoteTiger wrote:
Don't use REAL files.
Ever.
That sounds nice in the make believe world. However, in the real world we sometimes have to play media files that are in the Real format.
Download the updates and move on.
Yeah sometimes it is the only way to see/hear a file, but when a site offers the choice between Windows Media Player or Real I will choose WMP.
QuoteAnonymous wrote:
Remember it says " attack method can be used to exploit RealPlayer for OS X" It's exploiting "RealPlayer" Not OSX. So in OSX RealPlayer F's up. Not the OSX:)
It's a theoretical exploit. Conceivably, someone fairly sophisticated in PowerPC programming could be able to take advantage of it. When a hole is reported, it's fixed and a fix is promptly made available, even though the odds of it ever being exploited are quite slim, especially on the Mac.
Security fixes are routine for all internet software now, including QuickTime.
QuoteAnonymous wrote:
Real is a crappy player. I wish QuickTime could play their files
What problem do you have with RealPlayer 10 for Mac OS X? It's a native, drag-install Mac OS X application, written using Apple's Cocoa interface framework, built on the Helix open-source playback engine. It provides full-screen playback for free, even for QuickTime-compatible files.
Mon Jun 27, 2005 4:59 pm Subject: Re: Get Real
Quotegrobbins wrote:QuoteAnonymous wrote:
Real is a crappy player. I wish QuickTime could play their files
What problem do you have with RealPlayer 10 for Mac OS X? It's a native, drag-install Mac OS X application, written using Apple's Cocoa interface framework, built on the Helix open-source playback engine. It provides full-screen playback for free, even for QuickTime-compatible files.
I've never used it and I doubt I ever will. I believe you that it's a nice little program but I just can not make myself trust that company.
3 times in the past I had sworn off of using Real Player for the PC and each time I went back it caused all sorts of new problems for me. After the 3rd time I decided to NEVER trust anything they made, ever again.
That's probably irrational...I'm sure the OS X version IS fine...but, well...it's impossible for me to have the software of a company like that on my Mac. Have you ever made the same mistake 3 times in your life? It's stupid and embaressing and it's not something you want to think about. Having Real software on any of my computers would be a reminder of that.
No thanks.
QuoteAnonymous wrote:
Buffering
Cute, but that string hasn't been in the program for many years. If you're criticizing old versions and haven't used the current one, that would be useful to know.
Quote...it leaves .ram turds all over the place...
Safari creates those. RealPlayer 10 cleans up after Safari whenever it can safely do so. Safari changed how it hands off files to helper apps, so there was a period during which the player was receiving the files in an unexpected way and could not tell that they were temporary files created by Safari that could be safely deleted.
Quote...You can't save a file to disk...
That's up to the content provider. Streams may not actually exist as a file even on the server.
Quote...If you have GoLive installed the .ram files wants to launch that program instead of Real Player. Don't tell me about doing a Get info on a .ram file and telling it to open it with Real Player, that doesn't seem to stick
Mac OS X prior to Tiger did not provide any supported way for applications to affect which program gets launched for a document. It was entirely up to the Mac OS's LaunchServices, which often guesses wrong, and to the user's Get Info choices for each unique file type.
QuoteSmall White Car wrote:
That's probably irrational...I'm sure the OS X version IS fine...but, well...it's impossible for me to have the software of a company like that on my Mac.
It's up to you. I'm one of the developers of RealPlayer 10 for Mac OS X, and I've tried quite hard to ensure that no one ever has any reason to regret running it on their Mac. There's no installer for it; you just drag it to your Applications folder, and run it from there. If you download it and give it a try, and find anything at all that you consider inappropriate about its behavior, you can write directly to me at the e-mail address in the program's About window.
Mon Jun 27, 2005 6:17 pm Subject: I upgraded
I had v9 on my system, but hadn't used it in a long time. After reading the posts today I thought I would give it a try. I have a question for drobbins.
I tried some ram files and they downloaded to my download folder, but did not open in the Player, I had to drag and drop. I thought I had it configured properly, just followed the installation prompts. Using Safari to access the ram files.
Mon Jun 27, 2005 6:29 pm Subject: Re: Get Real
Quotegrobbins wrote:QuoteSmall White Car wrote:
That's probably irrational...I'm sure the OS X version IS fine...but, well...it's impossible for me to have the software of a company like that on my Mac.
It's up to you. I'm one of the developers of RealPlayer 10 for Mac OS X, and I've tried quite hard to ensure that no one ever has any reason to regret running it on their Mac. There's no installer for it; you just drag it to your Applications folder, and run it from there. If you download it and give it a try, and find anything at all that you consider inappropriate about its behavior, you can write directly to me at the e-mail address in the program's About window.
Thanks. Really, deep down I know I have nothing to be worried about. My trust for anyone who works on a Mac actually out-weighs my previously-mentioned concerns.
And I admit my fear is irrational. I guess that's progress? At any rate, there's not currently a site I visit that only has Real files so I haven't been forced into a choice.
Thanks for being here, it is nice to hear from people who know what they're talking about.
QuoteAl Swearengen wrote:
I tried some ram files and they downloaded to my download folder, but did not open in the Player, I had to drag and drop. I thought I had it configured properly, just followed the installation prompts. Using Safari to access the ram files.
There isn't always a way to fix Safari to properly hand off the downloaded files, as far as I am aware. Try following the steps outlined in RealPlayer's built-in Help (in the Help menu under RealPlayer Online Help; look under Troubleshooting > Launching Player > Other Programs launch.)
Aside from that, you may need to just double-click the downloaded file's icon in Safari's Downloads window, or click the links in one of RealPlayer's built-in browser windows.
Mon Jun 27, 2005 6:48 pm Subject: Thanks grobbin
Thanks for the tips. I thought it might have been me, late afternoon is the time I should be running personal CRON tabs, I am a moring person.
Other than not being able to run the files from Safari, I have not had a problem with the new player.
Quotegrobbins wrote:QuoteAl Swearengen wrote:
I tried some ram files and they downloaded to my download folder, but did not open in the Player, I had to drag and drop. I thought I had it configured properly, just followed the installation prompts. Using Safari to access the ram files.
There isn't always a way to fix Safari to properly hand off the downloaded files, as far as I am aware. Try following the steps outlined in RealPlayer's built-in Help (in the Help menu under RealPlayer Online Help; look under Troubleshooting > Launching Player > Other Programs launch.)
Aside from that, you may need to just double-click the downloaded file's icon in Safari's Downloads window, or click the links in one of RealPlayer's built-in browser windows.
Recent Headlines - Updated Friday, July 18th, 2008
- Fri., 4:30 PM
- iPO Apple Store Spotlight - Bloomberg LP - Financial Information on Your iPhone
- 2:50 PM
- iPO Just a Thought - Seven Days (and Counting) Trying to Get an iPhone
- 2:15 PM
- AAPL Drops 3% in Afternoon Trading, Deferred Revenue Accounting Earning Attention
- 12:05 PM
- iPO Review - Jensen JiMS-525i
- 11:05 AM
- Apple in Art
- 10:40 AM
- iPO Free on iTunes - AtomTV, Black In America, Strange Days on Planet Earth, & More
- 9:15 AM
- TMO's DealsOnTheWeb.com - JBL On Stage II Speaker System w/RF Remote Control: $67.99 Delivered
- 8:20 AM
- StrangeCharm - Particle Debris and a New iPhone (2G)
- 7:30 AM
- TMO Quick Tip - Build Your Own Twitter Client
The Mac Observer Reader Specials
- Download Typestyler, still the Ultimate Styling Tool for Internet, Print and Video Graphics. Works great in Classic with a Native OS X Version on the way. Free Tryout: www.typestyler.com
- Other World Computing has the Upgrades, Enhancements, and Accessories for getting the most from your Mac. Quality Products, Competitive Prices, Expert Support Staff - www.macsales.com
New iMac 800Mhz Memory 4GB $98, 2GB $50. Click to Maximize your Macs...
Mac observers can now play Party Poker for Mac as well as Mac casino games by going to MacPokerOnline.com.
RamJet Memory: MacBook 1Gig $39, 2Gig $78, 4Gig $195! Mac Pro 2Gig $115, 4Gig $189! 500G Seagate SATA II $139! Click hereFor the latest Apple products use Ciao a comparison website to find laptops like MacBook Air. Then find the best prices on MP3 players and use our comparison tool to evaluate cell phones.
Laptop Hardware Provided by TechRestore - Overnight Mac & iPod Repairs.
Apple 15-inch MacBook Battery: $75 
New iMac Intel Core 2 Duo 2.4GHz 20-inch Al with Wireless Kdd & Mouse: $1199 
Overstock.com: $1.00 SiteWide Shipping - This Weekend Only 
J&R ComputerWorld's Weekend Sale - Save on TVs, Digital Cameras, Games & Tons More 
OneCall's Weekend Sale - 20 Great Items at Great Prices All Weekend Long 
