RealNetworks is warning users of some of its RealPlayer and RealOne media players to remove a plug-in that could allow a remote attack and the running of arbitrary code on their machines.
While Real’s media players are among the most popular user applications around, with more than 200 million deployed worldwide, the Seattle-based company said in a security update that the vulnerability only affects the specialized R3T plug-in, which is installed on a “very small percentage” of players.
Nevertheless, the company said it worked with the finder of the vulnerability — Mark Litchfield of NGS Software — to zero in on and fix the problem.
The security hole revelation comes as RealNetworks releases the final version of its newest RealPlayer 10 media player, which is not affected by the recent issue. However, it is the second set of security concerns for RealNetworks so far this year and highlights the difficulty of locking down security for heavily used media players.
“The problem is, we all have them,” Gartner research vice president Richard Stiennon told TechNewsWorld. “Beyond the browser, it’s one of the most widely deployed applications, and we’ve already told the firewall to allow them to work, so it’s hard to stop.”
Plug-In Problem
RealNetworks said the vulnerability — which affects its RealPlayer 8, RealOne Player, RealOne Player v2 for Windows, RealPlayer 10 Beta and RealPlayer Enterprise versions — can only be leveraged against users who have downloaded the R3T plug-in.
Litchfield reported that by crafting a malformed .R3T file, an attacker could activate a common security breach known as a stack-based overrun in RealPlayer and RealOne Player software.
The security researcher said that by forcing a browser to contact a Web site containing such a file or by enticing a user to open an .R3T file as an e-mail attachment, code could be executed on a target machine with full user privileges.
RealNetworks advised installation of the update the company has made available to remove the vulnerable plug-in.
Not Simple To Secure
The media player hole illustrates the difficulty of securing a program that is widely used in different system configurations. Aberdeen Group vice president Jim Hurley said it is extremely difficult for media player vendors to test the security of their products on all of the various platforms on which they run.
“It’s almost impossible for one supplier to test all of the outcomes of how their products can be hacked,” Hurley told TechNewsWorld. “It’s almost impossible for RealNetworks to test every permutation of every exploit. It’s just too exhaustive.”
While RealNetworks announced earlier this year that its newest version, RealPlayer 10, would be compatible with rival media player files from Windows Media and Apple’s QuickTime, security experts said the increased interoperability might make media players even more of a target.
Danger of Trust
Ryan Russell, independent security expert and co-author of Hack Proofing Your Network: Internet Tradecraft, said that because of the full, privileged access to the Internet given to media players, they are a likely target of attack.
Russell told TechNewsWorld that vulnerabilities such as RealNetworks’ recent hole come up frequently, requiring a large number of media player updates.
In addition, Russell noted, users tend to trust media players and believe media files are not carriers of malicious code or attack methods.
“The threat can be significant,” he said. “While they probably shouldn’t, I think people tend to think of media files as being safe.”