RealNetworks advised late Friday that Helix Universal Server 9 and earlier versions RealSystem Server 8, 7 and RealServer G2 are vulnerable to a remotely exploitable attack that could give a hacker root access to the compromised machine.
As a temporary workaround, the company advised organizations running the software to remove the View Source plug-ins from the /plugins directory, and to restart the server. RealNetworks expects to make patched versions of the software available.
The View Source plug-in reads and displays file format headers in media files, the company said. Removing it disables the Content Browsing feature, but does not prevent any of the server’s other key functions from working.
We will be making a new version of the Helix Universal Server available to all current customers that resolves this problem, the company said in a statement. Once the new version is available, RealNetworks will urge customers to upgrade.
A spokesperson said the company became aware of the problem earlier last week, and is aware that some kind of attack kit is available.
The company credited SecurityFocus, a security information site run by Symantec Corp, with alerting it to the problem. SecurityFocus in turn credited Dave Aitel, an independent security researcher and CEO of Immunity Inc, with finding the bug.
Aitel told ComputerWire that he discovered the vulnerability four months ago when he ran Spike, an open-source vulnerability scanner he developed, against the software. He then wrote an exploit and included it in Canvas, a commercial exploit tool he sells to enterprises.
RealNetworks only found out when the exploit started being used, he said. A copy of Canvas accidentally fell into malicious hands, and the subsequent community discussions about led to the public discovery of the problem.
I sold a copy of Canvas to a Chinese guy using a stolen credit card, Aitel said. After that, information about the exploit was leaked and used, he said.
Aitel, who said he believes vendors should secure their own software, said he found the vulnerability in literally 10 seconds, and did not alert RealNetworks to the issue.
He said that the fact that RealNetworks makes Helix source code available was not the reason he was able to find the flaw, but that people using the open-source version will be able to fix the bug themselves and recompile the code, in the absence of an official patch.
Later on I looked at the source code… I had the exploit written before that, he said. People have always been writing exploits for Microsoft products, and they don’t have access to the source code for that.
Aitel said it’s likely he wasn’t the first to discover the problem, due to the length of time the vulnerable software has been available. If anyone was doing a customary scan of the software they would have found it, he said.
Source: Computerwire
