October 1, 2004 4:25 PM PDT

Viral movies possible with RealPlayer flaw

By Robert Lemos
Staff Writer, CNET News

Related Stories: Image virus spreads via chat
September 30, 2004; JPEG exploit could beat antivirus software
September 29, 2004; Plug-in flaw leaves RealPlayer users open to attack
April 8, 2004

A software slipup in RealNetworks' music player means that Windows, Mac and Linux computers could be compromised by a fake movie file, a security company said Friday.

The problem means that fake movie files could be created that, when played by vulnerable Real software, would run a program instead. The flaw appears in RealPlayer 10 for Windows and Mac OS X, the RealOne Player for Windows and Mac OS X and the Real Helix Player for Linux.

"Anyone who has RealPlayer is affected, and there are many people with RealPlayer," said Marc Maiffret, chief hacking officer at software security company eEye Digital Security, the company that discovered the security issue.

RealNetworks could not immediately be reached for comment.

RealNetworks has issued patches for the flaw.

The flaw occurs in a component of Real's software that handles Real movie files with the .rm extension, according to eEye's advisory.

Similar to the recent flaw in Windows applications that handle the JPEG image format, this vulnerability affects a widespread piece of software and could be used to create a virus.

"It's similar to the JPEG flaw in the sense that just by viewing the file, or having the file 'force viewed' through a Web browser, your system can be compromised," Maiffret said. "I think both this JPEG vulnerability and the RealPlayer vulnerability are good examples of a type of threat that is becoming more prevalent: client-side vulnerabilities."

Rather than finding a security hole in the operating system and gaining direct access to a computer, attackers are now increasingly looking at exploiting widely used applications.

"Most security software...is not able to defend itself well against these client-based vulnerabilities, leaving companies with few alternatives other than patching," Maiffret said.

4 comments

Join the conversation!Add your comment (Log in or register)

Where are the comments?

I'm completely surprised by the lack of comments on this article.

Where are the usual software bashers when a serious flaw is found in a product from a company other than Microsoft? And this affects Linux too! Can you believe it?! You'd think by some of the comments people make bashing MS and the software they create along with the encouragement to drop Windows and move to Linux that Linux didn't have any vulnerabilities at all. Of course, I find that most of the people making comments like that have no idea what theyre talking about to begin with.

If this had been a MS only issue the threads would have been flying in this forum.

Posted by rdrrichards (24 comments )

October 3, 2004 6:18 AM (PDT) Like Reply Link Flag

I would reply....: ... but I trashed Real Player some time ago. It's hard to complain
about long gone software.

And as far as the company goes, while I do believe that it's staff
is generally less than technically competent, apparently the
company meets the same set of criteria people use to justify
M$'s existance. Well, maybe the net assets category is somewhat
lacking......
Posted by Earl Benser (4342 comments ): October 3, 2004 9:53 AM (PDT) Like Link Flag

Well: MS did it again, oh wait
no they didn't my bad...
Posted by simcity1976 (136 comments ): October 3, 2004 1:26 PM (PDT) Like Link Flag

Join the conversation

Inside CNET News

1-2 of 12

Scroll Left Scroll Right

The view from up there: An astronauts' Aurora Borealis (video)
NASA video gives those of us with our feet firmly planted on the ground a look at the Northern Lights from the International Space Station.

Cutting Edge
Samsung Galaxy Note (AT&T)
Gallery
Supplier chatter points to smaller 8-inch iPad
Apple is talking to component suppliers about an iPad with a smaller screen, the Wall Street Journal reports.

Nanotech - The Circuits Blog
Google's Valentines doodle might make you cry
Google creates an animated doodle that features a boy, a girl, Google's search engine, and a jump rope. But might there be darker, more analytical, more troubling interpretations to this tale?

Technically Incorrect
Tips for keeping your browsing private
Video
Could Google Wallet be Google's next failure?
Six months after its introduction, Google Wallet seems to be no further along than when it started. Will Google kill the project?

Signal Strength
Ethical manufacturing petition delivered to San Francisco Apple Store
Video
WePay has big 2011, still hopes for 'balls to the wall' 2012
The Silicon Valley online payments startup grew by 1,000 percent last year and is hopeful it can repeat that level of growth this year. To do that, it's had to move away from its early friends-and-family roots and embrace small businesses.

Geek Gestalt
Spray-on antenna: Wireless in a can
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.

Crave
Video game Spacewar reborn at 50 (photos)
Gallery
3D Printer Build Week: Day One
3D printers will come ready-made soon, but what's it like building one of the many DIY kits out there? This week, we find out.

Crave
Engineered carbon gives batteries, ultracaps a boost
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.

Cutting Edge