TechWag

Real Media, the makers of real player and their own systems for music and media have found themselves at the wrong end of a Russian hacker organization. It seems that there is an exploit in Real Player 11, one that has been out there since at least December 16th, that causes a buffer overflow in the player allowing for remote execution of code. Compromised computers here we go.

While we see a lot of exploits against Microsoft, usually they are disclosed, people fix them, patches are released, and everyone breaths a sigh of relief that it was not as bad as it could have been.

The interesting part is when the hackers are selling the exploit, but refuse to release details to the company making the software, which is what is happening to real right now. This is a blackmail kind of issue, as the exploit is out there, but real has no idea where it is in the system, does not have access to the data, and can not recreate it. Unfortunately the exploit works, and works quite well, there is even video on how well it works.

Legerov has responded to criticism by arguing that the exclusivity is required so that his customers can better understand the level of risk that they face. Again, this beggars belief. What do they need to understand other than the client software is broken and needs to be fixed ASAP, unless there were some ulterior motive. As Wysopal says “I know that users with RealPlayer 11 installed will undoubtedly stumble across a malicious music file and their system will have a bot installed running with their logged in privilege level. I’m not sure what additional value I would get as a Gleg customer.” Unless, of course, you were RealNetworks in which case you might be able to run the exploit in lab conditions and patch that vulnerability. But then isn’t that tantamount to blackmail? Source: Daniweb

While it is sad to see one of the corner stone companies in the Seattle area being held hostage by anyone, what makes this even more scary is that this is a repeatable process. People who are in the business of making money off of exploits can keep this kind of thing going for years, with the software developers combing through their own code praying that they have found the issue.

The problem is that code security is hard when you are looking through someone else’s code, it is not easy to do, nor is it quick. The hackers usually share information so that they know where to find the bugs and fix them, when that simple process breaks down, it is not to anyone’s advantage but the hackers.

Tags: education, technology, news, Politics //