Thursday, January 31, 2008

Caught in a (Real) Security Bind

Ryan Naraine writes on eWeek:

RealNetworks finds itself at the mercy of an exploit writer who refuses to share details of a gaping hole in the widely deployed RealPlayer software.

More than a month ago, on Dec. 16, 2007, a Russian security research firm released an exploit for a zero-day vulnerability in RealNetworks' RealPlayer software into a subscription-only exploit package. The vulnerability, which still exists in the most up-to-date version of the cross-platform media player, is still unpatched because RealNetworks has been unable to get data on the bug from the creator of the exploit.

Gleg, one of a handful of legitimate companies that create and sell information on software flaws and exploits, has released of video of the exploit in action as a tease of its availability but, despite repeated pleas from high-level officials at RealNetworks and the Carnegie Mellon Software Engineering Institute CERT/CC (Computer Emergency Response Team), has refused to share details on the bug.

More here.

Note: This has not been a good week for RealNetworks -- their Rhapsody music service was also being used by unscrupulous criminals to serve up malicious banner advertisements and also fingered by StopBadware.org for "...failing to accurately and completely disclose the fact that it installs advertising software on the user's computer."

0 Comments:

Post a Comment

<< Home