funsec mailing list archives
Caught in a (Real) Security Bind
From: "Paul Ferguson" <fergdawg () netzero net>
Date: Thu, 31 Jan 2008 22:57:42 GMT
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Via eWeek. [snip] RealNetworks finds itself at the mercy of an exploit writer who refuses to share details of a gaping hole in the widely deployed RealPlayer software. More than a month ago, on Dec. 16, 2007, a Russian security research firm released an exploit for a zero-day vulnerability in RealNetworks' RealPlayer software into a subscription-only exploit package. The vulnerability, which still exists in the most up-to-date version of the cross-platform media player, is still unpatched because RealNetworks has been unable to get data on the bug from the creator of the exploit. Gleg, one of a handful of legitimate companies that create and sell information on software flaws and exploits, has released of video of the exploit in action as a tease of its availability but, despite repeated pleas from high-level officials at RealNetworks and the Carnegie Mellon Software Engineering Institute CERT/CC (Computer Emergency Response Team), has refused to share details on the bug. [snip] More: http://www.eweek.com/c/a/Security/Caught-in-a-Real-Security-Bind/ Note: This has not been a good week for RealNetworks -- their Rhapsody music service was also been used by unscrupulous criminals to serve up malicious banner advertisements: http://msmvps.com/blogs/spywaresucks/archive/2008/01/28/1483945.aspx ...and also fingered by StopBadware.org for "...failing to accurately and completely disclose the fact that it installs advertising software on the user's computer": http://www.news.com/8301-10789_3-9862135-57.html - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFHolJiq1pz9mNUZTMRAsNaAJ9/gEFggkJdmj0UBbCpPsPLUzlVsQCcCQSc LQ2GfRBFOcmvBr/S/OX5vb4= =xar4 -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Caught in a (Real) Security Bind Paul Ferguson (Jan 31)
- Re: Caught in a (Real) Security Bind Rob Thompson (Feb 01)