You forgot the best advice of all.. Don't f'ing use that piece of crap known as Realplayer. Realplayer hasn't been decent for the better part of a decade. If you really must view .rm files (and I personally just do without if I can't find alternate encodings), for the love of all that is holy in IT.. use Media Player Classic or what not.

.. although, using Firefox is a step in the right direction.

The best piece of advice, surely, is that you should immediately disconnect your cable/adsl/telephone line/paper cups & string/carrier pigeon from your computer at the earliest opportunity?

That way the evil scourge of the Internet need never be a problem again! And whilst you're at it... you may as well take that odd box that sits under your desk which connects to your keyboard & mouse outside, and then run over it a couple of times with the nearest available tank. It'll guarantee you remain (electronic) virus/trojan free...

*Ahem*

The title should have read "IE + ActiveX = Security hole"

Realplayer was a good thing when it started, I used it for quite a few projects because of the html linking and authoring aspects. The only other thing available at the time was the WMV generator from MS, and apart from it not having any capabilities other than format conversion, it was from MS, so I steered clear.

Too many people jump on the "slag Realplayer" meme today, who have never used it or produced with it, just because it's "funny". I was doing online video over 6 years ago, before flash became the ubiquitous method it is today. For the price and the capability, Real was the best option.

But no, it's easier to have a go at Realplayer for what is essentially the same old MS problem, allowing a public interface to affect private resources. I seem to remember Windows Media player having many similar flaws to this one, and probably still does.

Essentially, if I had the time over again, I would still pick realplayer over WMP, in the same way as I jumped straight onto Phoenix/Firebird/Firefox. Separate the components, and limit the damage. Remember, realplayer doesn't need to be running for this exploit to work, so what's at fault ? IE , the ActiveX model or Realplayer ?

I hereby decree that the word "meme" will not be used unless referring to physically handicapped mimes, or something else suitably cool.

The real solution would be for websites to just offer proper files for direct download and local playback. You can still start playing the file as it downloads, but you then have none of the disadvantages of streams, such as the ability to accidentally lose connection midway through, and then have to re-start at the beginning. Then, just us an external player for the mpeg[1,2,4] file.

Incidentally, I'd love to see a "Plug me not" extension for firefox, which does the same as konqueror: all plugins are replaced by a button, and the plugin is only started on request. Eg flash,java,etc are too useful to uninstall, but they should only run when prompted. Flash adverts should never run, even when running a flash plugin to display content on that page.

The fourth option is: get rid of Real Player. THis is mostly an ad streamer anyway...

Since no sensible person uses IE isn't this all an irrelevance?

Unfortunately 'sensible' people are a vanishing minority in today's world so, no, it's not an irrelevance

Fool. Now what's your question ??

so how does one "set a killbit in FDC7A535-4070-4B92-A0EA-D9994BCC0DC5"

Look at all these cool people declaring that they've not used real player since 1859, and that they all use FF because it is 'teh 1337'... how cool are they?

The fact remains that different browsers offer different benefits, different media playser the same. It is stupid to claim your choice is better than anyone elses. The point people should be making is

"Telling people to turn on prompting before using ActiveX functions? Who doesn't?"

Come on puppies... the vast majority of the IT managers reading and posting here use FF because their kids suggested it anyway. It doesn't make you any less pathetic, especially since FF is still very buggy. Out of the thousands of available browsers (not including using LWP to make your own) why do you think there are only three or four in contention? Because you all do what you're told, and suffer for it when an exploit is released

Now this is something I advocate! I've had Real Player crash IE6 on websites that don't even have any Real Player content on it.

And how'd I figure out it was Real? Turned off browser extensions, then turned them back on (Internet Options / Programs / Manage Add-Ons) one by one 'till I found the culprit. Now that's good ol' fashioned troubleshooting.

I wish I could remember the site that crashed it. It was some travel deals site used by travel agents... at one point an update from Real fixed it until a few days later, then I gave up on the damned thing. No one noticed.

IIrc Real Player was considered to be malware/spyware and while they claimed to have cleaned up their act. I never really considered trusting them on it.

Just buy a damn gun and get it over with, the world doesn't need you.

Install Media Player Classic and Real Alternative (which includes MPC anyway). Now you can still decode Real media streams, files, etc.

I install CCCP which includes MPC, and then install Real Alternative Lite, which doesn't include MPC. That way CCCP has pre-configured MPC and it mostly Just Works for just about anything.

Real Player has always been risky - I remember 9 years ago when many in the UK were still on penny-a-minute dialup people were getting inflated phone bills because it was putting the PC on line without asking so it could report content used. Happened to someone I knew as well as the many reports on the net. At that time I uninstalled it because it stopped my PC defragging.

Ever since it has caused people problems.

Someone asked :" what's at fault ? IE , the ActiveX model or Realplayer ?" Simple - if your app causes a security hole when used with the most common browsing setup then its your fault.

Although Opera is set to delete cookies on exit (and I always delete Private Data anyway), Ad-Aware always shows that Real Player has left a tracking cookie rated as critical.

I've set Real so that it doesn't accept cookies or send back data, but it always seems to ignore my preferences.

/sarcasm off

,', RealPlayer = 0

But I've got to agree, reading that article (in fact, even the headline) I thought "well if you've got realplayer installed and are using IE, there's not much hope anyway".

I use FF and other media players but they don't work reliably (eg in FF you cannot adjust the player volume on the embedded player page). It just seems easiest to use IE and then, as explicitly recommended on the BBC website (where the player's download link is pointed to), Realplayer free.

@James & Alan above.

The instant RP started putting up adverts, and collecting usage information, and bombing (Atari ST speak for crashing) or breaking some part of Windows, I deinstalled it and have never gone back.

They employ VERY underhanded tactics - just using and configuring RP makes you feel like you're being scammed somehow. RP might as well be classified by Symantec as malware in its own right.

I'm using RealAlternative as a stopgap until the internet is, one day, purged of all Real video and audio content.

I hope Real Corp die a horrible financial death for their crimes to modern computing and business practices.

*Breathes deeply, calms down*

Stu

@Richard Neill: "Incidentally, I'd love to see a "Plug me not" extension for firefox, which does the same as konqueror: all plugins are replaced by a button, and the plugin is only started on request. Eg flash,java,etc are too useful to uninstall, but they should only run when prompted. Flash adverts should never run, even when running a flash plugin to display content on that page."

I believe Adblock does this for Flash, unfortunately I haven't (yet) seen the same thing for Java applets etc.

Ok Real Player gets on my pecs by the way is steal file assocication if you so much as look at it. But it was Real that complained to the EU about WMP bundling, and got MS landed with a nice little fine, so they did something right, right?

I have Real Alternative and Media Player Classic installed. When installing, it gives you the option to integrate with Firefox, and when you open the RadioPlayer window, there is an option to 'Open in standalone player' which pops up Media Player Classic. Works just fine for me.

Nope, can't think of a single reason.. and even if you couldn't play another real media file (a highly unlikely scenario), I still can't think of an actual disadvantage to not having it.

RealNetworks has issued a patch for this vulnerability that users can download here - http://service.real.com/realplayer/security/191007_player/en/

For more information about these patches and how the new RealPlayer has been improved, please visit the RealPlayer blog at www.realplayer.com/blog.

Matt Spragins

Real Networks

> RealNetworks has issued a patch for this vulnerability

Too late Matt, it's already removed and not coming back.

It was always the buggiest POS I've ever used TBH on windows or linux - it's unlikey you failed to improve it but similarly unlikely you've done enough...