More than a month ago, on Dec. 16, 2007, a Russian security research firm released an exploit for a zero-day vulnerability in RealNetworks’ RealPlayer software into a subscription-only exploit package. The vulnerability, which still exists in the most up-to-date version of the cross-platform media player, is still unpatched because RealNetworks has been unable to get data on the bug from the creator of the exploit.
Gleg, one of a handful of legitimate companies that create and sell information on software flaws and exploits, has released of video of the exploit in action as a tease of its availability but, despite repeated pleas from high-level officials at RealNetworks and the Carnegie Mellon Software Engineering Institute CERT/CC (Computer Emergency Response Team), has refused to share details on the bug.
“We’re just hoping we can get the information to investigate and determine if it’s legitimate,” says RealNetworks Vice President Jeff Chasen. “We’ve repeatedly asked Gleg to share basic details [of the vulnerability] to help us get it fixed but they said they needed more time. We’ve done all we can to track down this issue.”
Without access to the information, Chasen says it’s impossible to figure out if there’s something to fix and because of the severity of Gleg’s claim, the company is nervous that the information might leak out to the general public and put millions of its customers at risk.
The Gleg exploit is legitimate and described as “very serious” by an IT administrator with access to the company’s VulnDisco exploit pack. “Basically, you play a corrupted song file in RealPlayer, you’re owned. It’s that serious,” he said, requesting anonymity for confidentiality reasons.
To read more about the zero-day exploit in the RealPlayer software, click here
Should companies subscribe to exploit packs?
He described RealPlayer as a “very buggy piece of software,” claiming the company has two more exploitable flaws in its pocket. “Our customers need to understand that RealPlayer is a real risk,” Legerov argued.
Dave Aitel, founder and vulnerability researcher at Immunity, believes companies like RealNetworks should subscribe to commercial exploit packs. “It’s a drop in the bucket for them,” Aitel said, noting that access to exploits can take a lot of exploitable bugs off the table.
Immunity, like Gleg, ships exploits to paying subscribers in its CANVAS penetration testing platform and Aitel argues that software vendors should recognize the value of embracing third party research as part of the security development lifecycle. Immunity does not share its findings with affected vendors.
Over at Carnegie Mellon’s CERT/CC, vulnerability analyst Chad Dougherty is worried that Gleg’s silence will leave millions of computers users exposed to hacker attacks for a long time.
“We’ve seen this trend develop for a while, where vendors are at the mercy of hackers. In some cases, it gets the information flowing directly to the affected vendor but in cases like this, it’s the end user who suffers,” Dougherty said in an interview.
“For the situation to improve for end users, legitimate users of those commercial exploit kits need to start demanding that the companies that sell them allow users to interact with affected vendors. If you buy these exploit packs for a legitimate reason, you should be demanding some contractual or legal right to contact the affected vendor to get the issue fixed,” he added.
Dougherty’s unit has also tried in vain to get details on the RealNetworks issue from Gleg. “We’d like to see the issue get fixed. We don’t get into the politics of disclosure. Our objective is to get the information flowing in a way that end users are protected.”