[Love Calm Quiet]

I haven't seen this story covered much, just this note in LA Times online, but it talks about RealPlayer offering a vulnerability to computer systems - without saying if it applies only to PC version or if Macs, too, are vulnerable.
http://www.latimes.com/technology/la...nes-technology

Thought I'd post this in OS X forums since it may be a broader issue than just one piece of software. Anyone heard more about the actual threat? -or have thoughts about the potential for widespread "reputable" software makers (MS excluded) to leave such security breaches in your Mac via software they make available free?

[entrox]

I can't check it right now, because the linked article requires a registration, but I guess you're talking about the exploit in which the player can be made to execute arbitrary code.

There's actually more than one exploit and some of them also apply to all versions. Patches have already been released I think. But I wouldn't worry either way, because attackers will probably only target Windows machines e.g. x86 processors. These won't have an effect on Macs.

[voodoo]

"RealNetworks Inc. said a flaw in its RealPlayer software for playing music over the Internet may let hackers take control of a personal computer.

The problem with RealPlayer, which competes with similar software from Microsoft Corp., allows someone to create a fake song file that when loaded into the program could make the PC run whatever malicious instructions the creator set up, the company said."

That was the entire article. :/

[entrox]

Here's the relevant page from Real with instructions: http://www.service.real.com/help/faq...123_player/EN/

[voodoo]

Originally posted by entrox:
Here's the relevant page from Real with instructions: http://www.service.real.com/help/faq...123_player/EN/

Hrmf. No Mac update.

[macsfromnowon]

No big surprise that Mac update is not out as quickly as Windows

What about the broader issue: until the Mac version is updated do we (at least in theory) need to be careful about what "RealAudio" links we click on when browsing?

[Millennium]

Usually, Macs and PCs are not susceptible to the same security holes; problems in one will not affect the other. This is not entirely the fault of OSX or Windows. A fair amount comes down to nothing more than the chip; PPC code won't run on an x86 machine, and vice versa.

Besides, the codebase for the Windows and OSX versions are so different that it's doubtful the same bug would exist in both versions, unless maybe it was in the codec itself.

[entrox]

Originally posted by Millennium:
A fair amount comes down to nothing more than the chip; PPC code won't run on an x86 machine, and vice versa.

The hole, which allows downloading and executing arbitrary code, is present on all platforms (this is explicitly mentioned by Real). But as you say, I really doubt anyone will start to write PPC-specific exploits for this one. The Windows market just gives a better bang for the buck so to say...

[grobbins]

The Mac OS X player has been getting updates as needed for any security vulnerabilities that may affect it. Since the exploits are so unlikely, particularly on the Mac platform, the Mac release changes haven't been publicized. If you're really concerned, download the latest build of RealOne Player for Mac OS X, 9.0.0.297-C, from the link at the top right corner of http://real.com/

[Toyin]

Theoretically how could real player effect a mac running OSX without asking for an administrator password? Isn't this one of the main reasons that OS X is more secure than Windows?

The argument that Macs are 3-5% of computers out there so no one writes viruses for it is weak. I wouldn't feel secure about this "bang for the buck" theory. Especially with the recent attention focused on security, there are plenty of PC folks who are sick and tired of hearing the Mac community scoff at recent Windows security issues. If there was an easy way to disable Macs, a virus would be written to exploit it. In fact I wouldn't be surprised if Microsoft had someone on the sly write a virus to take down Macs to take the focus off of them.

[grobbins]

Originally posted by Toyin:
Theoretically how could real player effect a mac running OSX without asking for an administrator password?

These security flaws could allow an attacker to execute Javascript code with the wrong privileges (as a local script rather than as a remote, untrusted script.) The script might read a local file or a browser cookie and send that information back to the hacker's site.

[Millennium]

I had been unaware that this hole allowed JavaScript (and, I assume, only JavaScript) to be executed locally. That's a whole different ball game than most buffer overflows (which allow only binary code to be executed), because JavaScript is cross-platform. So yes, Macs could theoretically be affected by this. However, there are some major caveats...

Originally posted by Toyin:
Theoretically how could real player effect a mac running OSX without asking for an administrator password? Isn't this one of the main reasons that OS X is more secure than Windows?

Not quite.

The security hole would allow JavaScript to run locally, but only as the same user which is actually running RealPlayer. If for some stupid reason you're logged in as root, then the script will run as root, and you are Totally Screwed. If you're not logged in as root, then the script runs as you, and so it would still need a password to do anything that you would need a password to do.

This is why you shouldn't log in as root. As long as you don't, any exploit is severely limited in the damage it can do. This is why OSX is more secure than Windows.

The argument that Macs are 3-5% of computers out there so no one writes viruses for it is weak.

It is. This is why OSX has damage-control measures in place to ensure that even if holes like this are found, they are limited in terms of what they can do.

In fact I wouldn't be surprised if Microsoft had someone on the sly write a virus to take down Macs to take the focus off of them.

I wouldn't put it past them to consider it, but I don't think they'd do it; it's too risky. They've been caught doing exactly this sort of thing in the past, and if they're caught again, they stand to lose way too much.

[JLL]

.

[Toyin]

Originally posted by Millennium:
The security hole would allow JavaScript to run locally, but only as the same user which is actually running RealPlayer. If for some stupid reason you're logged in as root, then the script will run as root, and you are Totally Screwed. If you're not logged in as root, then the script runs as you, and so it would still need a password to do anything that you would need a password to do.

This is why you shouldn't log in as root. As long as you don't, any exploit is severely limited in the damage it can do. This is why OSX is more secure than Windows.

Thanks for the informative post. So this still means that this exploit can't hose your system without a password, but it could damage your home folder and get personal information from you.

I never log in as root anymore. I did back in the early days when I experimented with theming, but even back then I wouldn't do any real work since all new/modified files seemed to get owned by root.

[Millennium]

Originally posted by Toyin:
Thanks for the informative post. So this still means that this exploit can't hose your system without a password, but it could damage your home folder and get personal information from you.

That is correct. It cannot damage the home folders of any other users, however, unless each one gets infected in the same way. You cannot infect other users yourself.

[Xeo]

So it sucks on a local level, since everything you have can get lost, but if you're a smart computer user you have everything backed up anyway, in which case, you lose nothing. But thinking realistically, those that will most often get caught by these things are probably of the caliber that doesn't back up, in which case they lose a lot. And there is the final scenario where backups don't matter 'cause the guy stole your keychain, in which case you need to change your passwords often to avoid it. But then, the exploit would HAVE to be OS X specific in that case so we're back to the "who's gonna make a virus for <5% of the users out there."

So in conclusion, back up and change your passwords often. And do as I say, not as I do...