OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[ISN] RealNetworks patches video server vulnerability

From: William Knowles (wkC4I.ORG)
Date: Sun Apr 30 2000 - 18:16:41 CDT

http://news.cnet.com/news/0-1005-200-1727494.html?tag=st.ne.1002.bgif.1005-200-1727494

By Paul Festa
Staff Writer, CNET News.com
April 21, 2000, 10:40 a.m. PT

Streaming media giant RealNetworks this morning posted a patch for a
flaw in its video servers that leaves them vulnerable to crippling
attacks.

The flaw permits what is known as a "denial-of-service" attack against
specific RealServers. A denial-of-service attack is one that floods a
server with a volume of bogus requests or that exploits a
vulnerability so that it can't respond to legitimate demands for
information.

A Buenos Aires-based security firm called Underground Security Systems
Research (USSR) posted a demonstration exploiting the flaw and a
notification to the Bugtraq security mailing list.

RealNetworks learned of the vulnerability and the demonstration
exploit, dubbed "realdie.exe," through the Bugtraq post yesterday and
finished work on its remedy last night. Patches can be downloaded
here.

"As soon as we found out about it, we deployed a tiger team to analyze
it, created a fix, put it through quality assurance testing, and
posted it," a RealNetworks representative said. "We had a group of
developers focused on it for the day. We treat all of these things
very seriously."

The denial-of-service attack and its cousin, the distributed
denial-of-service attack, gained notoriety this year after attacks
brought down major Web sites including Yahoo, eBay and Amazon.com.

In this case, RealNetworks customers did not suffer actual attacks, as
far as the company knows. But the release of the demonstration exploit
was timed to embarrass RealNetworks in retaliation for its privacy
policies, according to the security firm.

USSR, citing two CNET News.com stories on the subject of RealNetworks'
privacy policies, wrote in its advisory that it had not notified the
company before going public with the vulnerability.

USSR said it had not given RealNetworks the customary heads-up on the
vulnerability "for the reason of previous reports of RealNetworks user
privacy invasion."

RealNetworks called USSR's aggressive move groundless.

"We never invaded anyone's privacy, so it doesn't make a lot of
sense," said the company representative. "We never kept track of what
music people were listening to or kept track of individuals."

RealNetworks is urging all customers to take precautions against the
exploit.

"We think everybody should download that patch," the representative
said. "You always want to treat these things seriously."

-=-
Links:

Underground Security Systems Research: http://www.ussrback.com
Notification: http://www.securityfocus.com/vdb/bottom.html?vid=1128
Patch: http://service.real.com/help/faq/servg270.html
-=-

*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERVSecurityFocus.com with a message body of
"SIGNOFF ISN".