If you use the RealPlayer on Internet Explorer, watch out. Researcher Elazar Broad has posted to the Full Disclosure mailing list a so-called heap overflow vulnerability that makes it possible for an attacker to modify heap blocks after they are freed and overwrite certain registers. This could allow code execution on a compromised machine. The vulnerability affects all versions of RealPlayer running under Internet Explorer.
Exploit code for this flaw has not yet been made public.
Without a patch from RealPlayer, security experts recommend disabling the killbit for the following ActiveX ClassIDs:
- 2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93
- CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA
To avoid the loss of functionality, security experts recommend using RealPlayer in a browser that doesn't support ActiveX, such as Mozilla Firefox (for Windows and Mac).
StopBadware.org said Tuesday it has labeled two versions of the RealPlayer media player as "badware," or spyware.
RealPlayer 10.5, it claims, "fails to accurately and completely disclose the fact that it installs advertising software on the user's computer." And RealPlayer 11, it claims, "does not disclose the fact that it installs Rhapsody Player Engine software, and fails to remove this software when RealPlayer is uninstalled." Ryan Lukin, PR manager for RealNetworks, disputed some of the claims.
Lukin said the Message Center in 10.5 feeds only news and information, product updates, movies, video clips, and is clearly identified during installation. He said the change was that the check boxes in 10.5 were prefilled (requiring you to opt out), whereas in version 11 they were blank (requiring you to opt in). Lukin disagrees that the content served through the Message Center qualified as advertising.
As for version 11, Lukin said that by virtue of being a full-service media player, RealPlayer needs the Rhapsody ActiveX component because people may want to hear Rhapsody-encoded music clips. He agrees that once RealPlayer is uninstalled, the Rhapsody software should also be uninstalled. Lukin said RealNetworks was looking into making this change in a future release.
In the meantime, StopBadware recommends that users do not install either versions of RealPlayer, "unless the user is comfortable with the software behaviors we identify or until the application is updated to be consistent with the recommendations in this report."
Full details of the StopBadware.org alert about RealPlayer can be found on the organization's site.
- prev
- 1
- next
