Security Watch

Keeping Track of patches and hacks in the IT security world.

RealPlayer Slapped with 'Badware' Label

RealPlayer Slapped with 'Badware' Label

The Google-backed project has slapped a "badware" label on the widely deployed RealPlayer media player for problems associated with disclosure and uninstallation.

For the most part, the non-profit group has reserved the badware label for sketchy spyware-related products but, in a new report, singles out RealNetworks for failing to disclose that RealPlayer 10.5's "Message Center" will display pop-up advertising and for a problem with files that remain after RealPlayer 11 is uninstalled.

[SEE: Caught in a (Real) Security Bind]

"We find that RealPlayer 10.5 is badware because it fails to accurately and completely disclose the fact that it installs advertising software on the user's computer. We additionally find that RealPlayer 11 is badware because it does not disclose the fact that it installs Rhapsody Player Engine software, and fails to remove this software when RealPlayer is uninstalled," according to the report.

"We currently recommend that users do not install the versions of RealPlayer software that we tested, unless the user is comfortable with the software behaviors we identify or until the application is updated to be consistent with the recommendations contained in this report.RealPlayer 11 is currently promoted by RealNetworks at RealPlayer 10.5 is distributed through channels such as Mozilla Firefox's 'Missing Plug-in' feature and the BBC Radio Web site."

The specific problem with RealPlayer 10.5 centers around the software's "Message Center" feature that is used by RealNetworks to advertise the media player's offerings and to provide notification for things like security updates.

"The advertising software bundled with RealPlayer is misleadingly called a 'message center', and is described incompletely and inconspicuously in the EULA as software designed to provide useful software updates. When RealPlayer 10.5 is installed, the advertising features of this 'message center' are enabled by default for users who choose not to register their personal information with RealNetworks after the software is installed.", which is funded by Google, Sun Microsystems and Lenovo and managed by Harvard Law School's Berkman Center for Internet & Society and Oxford University's Oxford Internet Institute, also found badware-related problems with the newest RealPlayer 11.

"RealPlayer 11 does not disclose that it installs Rhapsody Player Engine, and does not remove this software when RealPlayer is uninstalled. Users are not informed by the installer or uninstaller of the connection between RealNetworks and Rhapsody Player Engine."

I had a chat with RealNetworks spokesman Ryan Luckin today about the report and, while the company is in disagreement with some of the conclusions, he said changes will be made to future versions of the software.

RealNetworks no longer distributes RealPlayer 10.5 (although it is still supported) and has already changed the installation default checkboxes that previously installed the "Message Center" by default.

In RealPlayer 11, where an ActiveX Control is used to install the Rhapsody Player Engine, Luckin acknowledged weaknesses in the uninstallation process.

"That was a misstep on our part and something we'll change in a future update," Luckin said.