Saturday, January 23, 2010

RealPlayer Versioning (and did I mention you should update it?)

Realplayer was recently updated to address a number of vulnerabilities

In theory the RealPlayer AutoUpdate should run and get you up-to-date, according to their privacy page: A background update check may happen automatically and without advanced notification if RealNetworks deems a critical update is required, such as for urgent security patches and bug fixes.

In practice, if you know what realsched.exe is, and you've disabled it, you should go and update RealPlayer yourself, from the application itself or by downloading a fresh copy at at Real.com

It's not trivial for me at least to understand how SecBrowsing can help users identify if they are running a vulnerable version right now. Their versioning system is quite confusing. Here's a snippet of the vulnerability report from RealPlayer for Windows
Not vulnerable:

  • RealPlayer SP 1.0.2 - 1.0.5
Vulnerable
  • RealPlayer SP 1.0.0 and 1.0.1
  • RealPlayer 11 (11.0.5 and higher)
  • RealPlayer 11 (11.0.1 - 11.0.4)
  • RealPlayer 11 (11.0.0)
  • RealPlayer 10.5 (6.0.12.1675)
  • RealPlayer 10.5 (6.0.12.1040-6.0.12.1663, 6.0.12.1698, 6.0.12.1741)
  • RealPlayer 10
  • RealPlayer Enterprise
I downloaded a fresh copy of RealPlayer yesterday, installed it on Windows Vista, checked the reported version, and it came back as 6.0.12.448. It's not one of the reported vulnerable versions, I guess, but it's also not "greater than" them in the typical sense.

Which makes Mozilla's effort in building a Plugin Directory with version history a more viable solution to our "latest good version" solution. Mozilla also offers APIs to this service, for other browsers to use even, which is great.

I'm still skeptical on whether we'll be able to identify all these arbitrary versions from the browsers without some help, going forward at least, from the plugin vendors.