RealNetworks has released several updates to close security gaps in its media players, including RealPlayer Enterprise and the beta version of RealPlayer 10. The vulnerabilities, if exploited, could give attackers control over victims’ computers.
The Seattle-based company said it has received no reports of actual attacks but has made available updates to solve the problems. The security holes do illustrate the danger of media players that are allowed complete access to computers.
Because these media players typically have full, privileged access to the Internet, they can inadvertently run media files that can carry malicious code, independent security researcher Ryan Russell told TechNewsWorld.
“The vulnerabilities come up all the time,” Russell, the author of Hack ProofingYour Network: Internet Tradecraft, said. “Just look at the number of updates for media players.”
The vulnerabilities discovered and reported by UK-based Next Generation Security Software have the potential to affect hundreds of millions of RealNetworks media player users, the security firm said.
“RealOne/RealPlayer is one of the most widely used products for Internet media delivery,” the company said in an advisory. “There are currently in excess of 200 million users of these products.”
In its own security advisory, RealNetworks said the three exploits affect its RealOne Player for Windows, RealPlayer 10 Beta, RealOne Enterprise and RealPlayer 8.
The company, which worked with Next Generation Security Software researchers to address the security holes, advised customers to install patches it made available for download on its site.
Media File Mischief
Next Generation Security Software reported that by crafting malformed media files, it would be possible for attackers to cause security problems known as buffer overruns in RealPlayer and RealOne Player.
By forcing a user’s Web browser to an Internet site containing such a file, code could be arbitrarily executed on the victim’s machine. Or, the user could inadvertently cause the security breakdown by opening an attached media file designed to exploit the vulnerability, Next Generation said.
Russell said it would be fairly easy for an attacker to craft the file and gain access to a user’s machine. Although user action might be required, the security expert said it would be difficult even for technically savvy users to examine media files to find out whether they are hiding malicious code.
Hard To Head Off
Aberdeen Group vice president Jim Hurley, who said he was somewhat surprised by the media player vulnerabilities, told TechNewsWorld that it is extremely difficult for media player vendors to test the security of their software on all the platforms on which they run.
“It’s almost impossible for one supplier to test all of the outcomes of how their products can be hacked,” Hurley said. “It’s almost impossible for RealNetworks to test every permutation of every exploit. It’s just too exhaustive.”
He noted that most organizations do a “good enough” job of ensuring their media-player software is not allowing corruption, failure or degradation and testing for known vulnerabilities. He added that these companies can’t do much more than what they’re doing now. When flaws do emerge, companies issue patches as quickly as possible.
RealNetworks last month announced its newest media player would be compatible with competing Windows Media Audio (WMA) and QuickTime files, but some security experts said the incompatibility among different media players was a mitigating factor in the use of media players as an attack avenue.
Russell said that although an attacker would not be able to craft an attack that would work on all of the different players simultaneously, the incompatibility among players could also cut the other way. For example, attackers could actually target certain communities that use specific players like QuickTime or RealPlayer.
He added that the threat of attack via media player could be heightened by human curiosity about the latest music, video or other media file. “[The threat] can be significant,” Russell said. “While they probably shouldn’t, I think people tend to think of media files as being safe.”