RSSLinux Real, HelixPlayer Users at Risk
By Ed Oswald | Published September 28, 2005, 1:20 PM
A flaw in the Linux and Unix versions of RealPlayer and HelixPlayer could put users at risk of attack, according to at least two security firms. Making matters worse, exploit code is now publicly available on the Internet due to a leak in an Internet chat room.
The problem stems from a format string error that the programs run into when parsing a specially created RealPix or RealText document. An attacker could take complete control of a system by exploiting this vulnerability.
The flaw is only known to occur on the Linux and Unix platforms. Windows and Mac users are currently immune to any attack in this manner, according to security advisories.
The French Security Incident Response Team has labeled the flaw as "critical," it's highest level, and security firm Secunia gave a rating of "highly critical," it's second highest.
"To exploit this remotely, a user just needs to place the created file on a web site and provide a link so users can click the file, launching RealPlayer and [thus] exploiting the vulnerability," a researcher that went by the handle c0ntexb said in an advisory.
Real has been informed of the problem and was working on a fix for it. However, word of the research and the exploit code apparently leaked through discussions on a Internet relay chat (IRC) channel.
"Moral of the story, don't talk about personal research on IRC. Thank you plagiarizers," the researcher said.
Secunia advises users of RealPlayer and HelixPlayer on Linux or Unix platforms not to open RealMedia files from non-trusted sites until a fix is provided.
But no one exploits them do they now
Score: 0
|What Realplayer?
hrmph, I have a fix. apt-get remove realplayer
Score: 0
|Hehe...
Before everyone jumps on the "this proves linux is just as insecure as Windows" wagon, please note that this vulnerability is due to a poorly written app, not the OS.
Score: 0
|I dont need a crap coded app to prove linux has far more vulnerabilities than windows, just subscribe to the securina and security focus mailing lists (daily digests), you will see far more exploits for linux than are ever let out
Score: 0
|Security can be both software security and security via obscurity. Either way, linux has far less active exploits running around than Windows, and thus, for all intents, is far more secure.
Now...will that change? Only if you believe linux will gain a large portion of MS marketshare...which is ... a joke. Really.
Laugh already.
It's funny, dammit.
Score: 0
|With any OS you're gonna get vulnerabilities, but anyone that knows how to install something like Gentoo Linux is probably going to have a properly set up hardware firewall, such as on their router.
Linux has vulnerabilities largely because it isn't set up right. Windows has vulnerabilities largely because it isn't set up right, and because most MS programs are crap that are tied into the system.
Score: 0
|Poorly written apps are the main reason for vulnerabilities in windows as well...Windows as a plain OS and set up properly, is very secure.
Score: 0
|Go count the *LINUX* vulnerabilities versus the *WINDOWS* vulnerabilities and come back to us with a number.
Be sure to not include anything that shows up in add-remove programs on Windows, and the same for Linux.
Score: 0
|