More than a month ago, on Dec. 16, 2007, a Russian security research firm released an exploit for a zero-day vulnerability in RealNetworks' RealPlayer software into a subscription-only exploit package. The vulnerability, which still exists in the most up-to-date version of the cross-platform media player, is still unpatched because RealNetworks has been unable to get data on the bug from the creator of the exploit.
Gleg, one of a handful of legitimate companies that create and sell information on software flaws and exploits, has released of video of the exploit in action as a tease of its availability but, despite repeated pleas from high-level officials at RealNetworks and the Carnegie Mellon Software Engineering Institute CERT/CC (Computer Emergency Response Team), has refused to share details on the bug.
"We're just hoping we can get the information to investigate and determine if it's legitimate," says RealNetworks Vice President Jeff Chasen. "We've repeatedly asked Gleg to share basic details [of the vulnerability] to help us get it fixed but they said they needed more time. We've done all we can to track down this issue."
Without access to the information, Chasen says it's impossible to figure out if there's something to fix and because of the severity of Gleg's claim, the company is nervous that the information might leak out to the general public and put millions of its customers at risk.
The Gleg exploit is legitimate and described as "very serious" by an IT administrator with access to the company's VulnDisco exploit pack. "Basically, you play a corrupted song file in RealPlayer, you're owned. It's that serious," he said, requesting anonymity for confidentiality reasons.
To read more about the zero-day exploit in the RealPlayer software, click here