Version: 2008
  • On GameSpot: So-called 'Halo killer' gets 23 to life

April 21, 2000 11:40 AM PDT

RealNetworks patches video server vulnerability

By Paul Festa
Staff Writer, CNET News

  • Post a comment
Related Stories

RealNetworks says RealPlayer bug won't sting

 April 4, 2000

Are security fears running ahead of reality?

 February 28, 2000

RealNetworks puts a patch on privacy concerns

 November 1, 1999

RealNetworks changes privacy policy under scrutiny

 November 1, 1999
Streaming media giant RealNetworks this morning posted a patch for a flaw in its video servers that leaves them vulnerable to crippling attacks.

The flaw permits what is known as a "denial-of-service" attack against specific RealServers. A denial-of-service attack is one that floods a server with a volume of bogus requests or that exploits a vulnerability so that it can't respond to legitimate demands for information.

A Buenos Aires-based security firm called Underground Security Systems Research (USSR) posted a demonstration exploiting the flaw and a notification to the Bugtraq security mailing list.

RealNetworks learned of the vulnerability and the demonstration exploit, dubbed "realdie.exe," through the Bugtraq post yesterday and finished work on its remedy last night. Patches can be downloaded here.

"As soon as we found out about it, we deployed a tiger team to analyze it, created a fix, put it through quality assurance testing, and posted it," a RealNetworks representative said. "We had a group of developers focused on it for the day. We treat all of these things very seriously."

The denial-of-service attack and its cousin, the distributed denial-of-service attack, gained notoriety this year after attacks brought down major Web sites including Yahoo, eBay and Amazon.com.

In this case, RealNetworks customers did not suffer actual attacks, as far as the company knows. But the release of the demonstration exploit was timed to embarrass RealNetworks in retaliation for its privacy policies, according to the security firm.

Shutdown special report USSR, citing two CNET News.com stories on the subject of RealNetworks' privacy policies, wrote in its advisory that it had not notified the company before going public with the vulnerability.

USSR said it had not given RealNetworks the customary heads-up on the vulnerability "for the reason of previous reports of RealNetworks user privacy invasion."

RealNetworks called USSR's aggressive move groundless.

"We never invaded anyone's privacy, so it doesn't make a lot of sense," said the company representative. "We never kept track of what music people were listening to or kept track of individuals."

RealNetworks is urging all customers to take precautions against the exploit.

"We think everybody should download that patch," the representative said. "You always want to treat these things seriously."

advertisement

Latest tech news headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Markets

Market news, charts, SEC filings, and more

Related quotes

RealNetworks (0.00%) 0.00 3.39
Dow Jones Industrials (0.00%) 0.00 10,452.68
S&P 500 (0.00%) 0.00 1,109.24
NASDAQ (0.00%) 0.00 2,185.03
CNET TECH (0.00%) 0.00 1,593.64
  Symbol Lookup
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET