Caught in a (Real) Security Bind

RealNetworks finds itself at the mercy of an exploit writer who refuses to share details of a gaping hole in the widely deployed RealPlayer software.

More than a month ago, on Dec. 16, 2007, a Russian security research firm released an exploit for a zero-day vulnerability in RealNetworks' RealPlayer software into a subscription-only exploit package. The vulnerability, which still exists in the most up-to-date version of the cross-platform media player, is still unpatched because RealNetworks has been unable to get data on the bug from the creator of the exploit.

Gleg, one of a handful of legitimate companies that create and sell information on software flaws and exploits, has released of video of the exploit in action as a tease of its availability but, despite repeated pleas from high-level officials at RealNetworks and the Carnegie Mellon Software Engineering Institute CERT/CC (Computer Emergency Response Team), has refused to share details on the bug.
"We're just hoping we can get the information to investigate and determine if it's legitimate," says RealNetworks Vice President Jeff Chasen. "We've repeatedly asked Gleg to share basic details [of the vulnerability] to help us get it fixed but they said they needed more time. We've done all we can to track down this issue."

Without access to the information, Chasen says it's impossible to figure out if there's something to fix and because of the severity of Gleg's claim, the company is nervous that the information might leak out to the general public and put millions of its customers at risk.
The Gleg exploit is legitimate and described as "very serious" by an IT administrator with access to the company's VulnDisco exploit pack. "Basically, you play a corrupted song file in RealPlayer, you're owned. It's that serious," he said, requesting anonymity for confidentiality reasons.

To read more about the zero-day exploit in the RealPlayer software, click here

RealNetworks isn't the first big-name vendor to find itself at the mercy of security researchers looking to cash in on the burgeoning market for software vulnerabilities. Third-party companies like VeriSign's iDefense and 3Com's TippingPoint have created business models around buying and brokering flaw information and there have been reports of extortion-like attempts at getting companies to pay directly for bug findings.Gleg founder Evgeny Legerov confirmed his company's refusal to share the RealPlayer exploit details, arguing that he needs "exclusivity" for a few months to help his customers understand the level of risk they face."We tried to work with vendors in the past and and received a very negative experience," Legerov said in an instant messaging exchange with eWEEK. "So right now, the answer is no, we're not sharing [with RealNetworks]. We need an exclusive time period to protect our customers."Legerov said his customers pay for access to exploits to do things like study bad programming practice, create IDS (intrusion detection system) signatures and scan networks to look for holes that hackers can use to attack networks.