RealPlayer flaws open PCs up to hijackers

ZDNet ^ | February 5, 2004 | Robert Lemos

[gitmo]

RealNetworks acknowledged on Wednesday that three flaws affecting different versions of its media player could allow attackers to create corrupt music or video files that, when played, take control of a victim's PC.

The flaws, found by U.K.-based Next-Generation Security Software, can affect RealNetworks' RealOne Player, RealOne Player version 2, RealPlayer 8, RealPlayer 10 Beta, and the company's RealOne Enterprise products. To exploit them, an attacker crafts the data in a media file in a certain way. When people play or stream the corrupted file in a vulnerable version of RealPlayer, the attacker's code will run, compromising the PC.

[Incorrigible]

Real One is virus! What more would anybody need to do?

[proxy_user]

Some useful info:

You can play .rm videos on Windows Media Player by installing the Real Alternative codec. Unfortunately, it doesn't seem to work with streaming media web sites.

[Leroy S. Mort]

Ya can't post from ZDNet (Ziff-Davis). Sux, but true.

[Rodney King]

I refuse to have realplayer on my computer - it inserts itself everywhere.

[Gorzaloon]

I refuse to have realplayer on my computer - it inserts itself everywhere.

Plus, just watch it bang its head on the firewall constantly.

Nothing worth watching or hearing is in Real format anymore. It's dead.

I saw someone's P-4 turned into a 286 by multiple installations of their Real "control center", though granted, the person himself was not much better than a Sinclair to let that happen...haha.

[Leroy S. Mort]

If you REALLY have a need to play these files you might check out Real Alternative

Can't personally vouch for it, but the comments look pretty good.

[B4Ranch]

Keep the Java Script & ActiveX disabled and there isn't too many viruses that will work.

[zeugma]

I've seen a few articles about this. Does anyone know if this defect is present in the Linux version of the program? It would't be able to do anything except as a user unless you're an idiot running as root, but it's better to be safe than sorry IMO.

[Cicero]

The folks at Real are somewhere to the left of Mao and Lenin, to begin with. And their program is the biggest piece of bloatware in the business. Plus the most recent RealOne versions keep popping up on their own with all kinds of crap. Unfortunately I have to have AOL so my kids can talk to their friends, and AOL installs Realplayer. Two pieces of crummy software.

[LibKill]

I just checked the real homepage and looked at their instructions for fixing this problem.

They said to update. So I went to update and they want money to do so.

I punched out of there.

I have now disabled internet access for RealPlayer in ZoneAlarm and am seriously considering removing it from my system.

[davisfh]

"RealPlayer flaws open PCs up to hijackers"

You're right about RealPlayer being a virus. I recently downloaded the latest version and it promptly took my machine over. Every time that I tried to use some other player (such as Windows Media Player) RealPlayer would jump in and take over. And, if you've ever experienced the results of competing media players, you'll know that it's just no fun.

Within two days of the download, I deleted RealPlayer. My recommendation, in a word, to anyone contemplating downloading this predator woult be "don't!!"

[js1138]

You really should look at the options when you install a media player. You can limit them just to their own file types at istallation, or even after installation.

[philetus]

I use this free player

http://www.jetaudio.com/

New jetAudio 6 once again redefines what a digital player should be. Tons of new features are added in this version, and jetAudio give you the best digital audio/video experience ever as well as the easy-to-use skinnable interface.


What's New in jetAudio 6

Enhanced Audio Experience
-

32bit Audio Processing *
jetAudio processes output of MP3/OGG files as 32bit precision. (32bit output may not work on some sound cards)
-
BBE MP and BBE ViVA Sound Effect *
BBE MP improves brilliance and clarity of music, and BBE ViVA creates an authentic and exciting 3D sound effect from stereo speakers.
-
Synchronized Lyric Support for WMA, OGG files
-
EQ and Low-pass/High-pass/Band-rejection filters while Recording *
-
Silence Detector for Recording *
jetAudio stops recording when silence is detected, and resumes recording if audio level is higher than silence.
- Dynamic Limiter *
Automatically adjusts the maximum audio level to prevent clipping.
- Dynamic Range Control (DRC) *
Automatically adjusts the audio level fluctuation
- Supports LRC format
LRC format (Lyric file format of Winamp) is supported by Lyric Maker and jetAudio.
- New X-Surround Mode
"Normal Surround with Wide Rear" mode is added.
- Supports Windows Media 9's high-definition and multichannel sound
-
Support Windows Media 9's new encoding features
Supports new CBR encoding options (5 ~320 kbps) and VBR encoding
Supports WMA Lossless Codec
Supports WMA Voice Codec
- Automatic Lyric search (Korean only)

Enhanced Video Experience
-
Supports Windows Media 9's high-definition and multichannel sound
- Supports VMR9 (Video Mixing Renderer 9) of DirectX 9
-
Supports OGM (Ogg Media) file formats **
jetAudio can play OGM files with chapter, multi-audio and embedded subtitles support.
-
Supports MKV (Matrovky) file formats **
jetAudio can play MKV files with multi-audio and embedded subtitles support.
- User can display Properties dialog box of DirectShow filters during playback.
- "No Border" option of Video Window
Borders of Video Window can be removed while playback
- Enhanced On-Screen Control
Volume & Screen Size can be adjusted from on-screen control
- Transparency options for Subtitle
Subtitle can be displayed with transparency settings.
- Adjust video screen (Zoom-in, Zoom-out, Move) in Full-Screen mode

Enhanced Internet Broadcast
-
OGG Format Broadcasting
- Supports registration to Shoutcast server (for MP3 format only)
- Private broadcast (for MP3/OGG format)
Listeners who don't know the password can't connect to the station
-
Changeable Metadata string format
Users can change metadata format as they want
- Crossfading when Next button is pressed
- Fade-in/Fade-out when microphone button is pressed.
- Microphone Monitoring
- Supports Station Homepage / XML status report (for MP3/OGG format)

Additional Tools
-
Audio Trimmer *
Trim your audio files and save to supported file formats. Fade In/Out effects are provided.
This tool is very useful for editing recorded audio files through microphone or line-in.

Other New Features
- OSD (On-Screen Display)
jetAudio can display information of current media on screen during playback with transparency options.
- Resume after Stop
jetAudio stores the last playback position and resumes from the position. Very useful for movie playback.
-
Crossfading when Next/Previous track button is pressed
- Program Mode is back !
Convenient playback mode which existed in jetAudio 4 is back ! Now you can change playback order for Audio CD as you want.
- Print function is back !
User-requested feature which existed in jetAudio 4 is back ! Now You can print Album information.
- Transfer tag when Converting
- Write tag when Ripping

* : for Plus version only or requires appropriate Extension Pack.
** : Requires additional codecs from 3rd party.

[gitmo]

That's a new one to me. I'll check it out.

[kylaka]

It takes awhile to tame the Beast, but it can be done, if you stick with version 2. Do a custom install and nix all file associations and turn off all the nag screens.

[ColdSteelTalon]

Real player is chock full of spyware. I removed it from my system long ago...

[Biblical Calvinist]

No; no one needs to have AOL's ISP "just to talk with their friends" using AOL's Instant Messenger. Anyone can use any other IPS; and STILL use AOL's Instant Messenger. The Instant Messaging software is a Free stand alone program.

The Aol Instant Messenger software BY ITSELF will NOT install RealPlayer or ANY OTHER spyware or software.. just the Instant Messaging software. On the OTHER hand; if you install the COMPLETE AOL software - you'll get all kinds of bloatware; including RealPlayer.

I've known a lot of people who think that they have to have AOL's ISP and all of their bloatware JUST to use the Instant Messenging software.. and it simply isn't true.

[Freedom2specul8]

bookmarked to read later.

[Bogey78O]

Plus there's AIM+, DeadAIM, and Trillion. All programs that use the AIM network but give increased functionality.