Bad software is not Free
Real Player has a fairly severe security hole. Sigh. It seems there is no such thing as ‘free’ software any longer. While you may not pay for it with cash or credit cards, it’s not really free if you pay for it through Spyware or security holes.
I was in the process of registering for Rich Mogull’s eSeminar , presented by Ziff Davis and sponsored by Oracle, on the 25th of this month. Once I signed up I needed to verify that my system met the minimum requirements. I ran the diagnostic, and I met all but one of the system requirements: Real Player needed to be installed. Argh!
My bias to not installing some of these applications like Quicktime, Real Player, AOL Instant Messenger, anything Yahoo or most of the other ‘free’ tools is not just because I don’t trust them. I don’t. My main reason is they have zero respect for me or my machine. I want one specific function … ONE … and I get (what seems like) 50 that I don’t want. I don’t want these other ‘features’ installed, don’t want them automatically turned on, don’t want resident in memory, don’t want them scanning my machine for software and versions, don’t want them communicating with other software or servers, don’t want them attempting to update themselves, don’t want them installing into the start menu, don’t want them updating the MS registry, don’t want them automatically popping up services and ‘news’ items about Soulja Boy’s baby or Britney Spears latest stupidity.
So I installed it … clearly because I am a moron, and I also have some business needs that require Real Player … like this and other e-Seminars. An easy install, but sure enough, it was flagged by AVG and SpyHunter because some of the DLLs are considered Spyware. I quarantined them and I hope that there is nothing else I need to worry about and that the application functions now that I disabled some of the DLLs.
Worry got the better of me and I started searching the web about what sort of vulnerabilities or Spyware is also present. I did not get far. A quick Google Search revealed this: http://isc.sans.org/diary.html?storyid=3810 . So it opens up a hole on the machine.
OK, fine. Are there known exploits? In fact there is, as documented here: http://isc.sans.org/diary.html?date=2008-01-04. Which is a pretty well executed SQL injection attack, with some well done obfuscation of the code itself, making it harder for the average person to detect. In a nutshell, the SQL statement queries Sysobjects table looking for all user tables, and recursively scans all of the table references it finds. For every Varchar column in the tables found, the program appends a small piece of code. I was not curious enough to find out what that code does. I do not believe the injection attack is smart enough to auto-alter itself depending upon the type of database present, this one looking for SQL Server, but I am sure that enhancement will be in the next release of the attack.
OK, is there a patch? Not that I can find. CVE-2007-5601 talks about a buffer overflow attack, but the arbitrary execution of code in this attack does not appear to be reliant on a buffer overflow to initiate. My guess is the author of the first Blog post is correct and there is no patch available. I un-installed it and selected and older version as I figured that the Spyware was not as evolved in the older versions. Sure, it may have vulnerabilities as well, but I needed to pick my threat model, so I picked the unknown threat instead of the known threat.
It’s ironic that I want to watch a database security presentation, and I need to introduce a vulnerability onto my computer to do so, one with known exploits and no patches at this time. Yippee.
Re: Real Player & SQL Injection Attack
Re: Real Player & SQL Injection Attack
But this is a good example of how tiered or multiple levels of security helps catch and stop problems. It's also one of the reasons why I am an advocate of spending as much time and attention to detail on back end infrastructure security as firewall and front end security.
Comments