[Infowarrior] - RealPlayer users held to ransom
Richard Forno
rforno at infowarrior.org
Mon Feb 11 04:26:07 UTC 2008
RealPlayer users held to ransom
RSS RSS - All Blogs
Feb 9th, 2008, 7:36 pm
http://www.daniweb.com/blogs/entry2060.html
It has been a couple of months now since a Russian security researcher,
Evgeny Legerov, confirmed that the widely deployed media software RealPlayer
was vulnerable to a zero-day exploit. The Russian company, Gleg, is in the
business of selling information on such exploits and security flaws.
Unfortunately, according RealNetworks's Vice President Jeff Chasen, Gleg has
been unwilling or unable to provide the necessary data to allow the alleged
gaping security hole to be patched despite repeated requests from both
RealNetworks and CERT. Gleg has, on the other hand, posted a video showing
the heap overflow/code execution exploit in action.
According to Chris Wysopal, CTO for application secure code testing company,
Veracode, it was only ever a matter of when rather than if the zero day
exploit commercial market would find a vulnerability in widely deployed
software such as this. "We don't know when this unpatched RealPlayer
vulnerability was introduced into the code" Wysopal says "It has probably
been latent for many months. Real's customers were vulnerable as soon as
they downloaded this version of RealPlayer. There is currently knowledge
circulating in criminal circles and attackers are using it to compromise
Real's customers."
The fact that Gleg apparently knew how to reproduce this problem at least a
month beforehand, but did not inform the vendor, is quite frankly appalling.
Indeed, there appears to be a legitimate concern over what benefit the
customers of Gleg, who were informed about the problem, would get by having
such client side exploit information before the vendor can patch it.
Legerov has responded to criticism by arguing that the exclusivity is
required so that his customers can better understand the level of risk that
they face. Again, this beggars belief. What do they need to understand other
than the client software is broken and needs to be fixed ASAP, unless there
were some ulterior motive. As Wysopal says "I know that users with
RealPlayer 11 installed will undoubtedly stumble across a malicious music
file and their system will have a bot installed running with their logged in
privilege level. I'm not sure what additional value I would get as a Gleg
customer." Unless, of course, you were RealNetworks in which case you might
be able to run the exploit in lab conditions and patch that vulnerability.
But then isn't that tantamount to blackmail?
Wysopal argues with plenty of merit that a cooperative solution is a much
safer way for customers to understand the risks of the code they run,
promoting good security hygiene on the vendor side. "We have found that once
vendors know that their big customers are using an independent review
service they are more likely to proactively start doing security testing
within their SDLC" he continues "A vendor can't bluff their way out of a
comprehensive code assessment like they can from just a single (or a few)
vulnerabilities publicly reported. If their code is full of vulnerabilities
their customers will know."
- Davey Winder, staff writer aka happygeek
More information about the Infowarrior
mailing list