Jan 10

Patch it or Scratch it: RealPlayer


Securing your computer isn’t just about making sure the doors and windows into your system are latched and patched: Sometimes, it makes more sense to simply brick up some of these entryways altogether — by getting rid of programs you no longer use.

There are several programs that I’ve mentioned recently and put in this category (Java, QuickTime, Adobe Reader). Allow me to add another program to this list: RealPlayer. If you have this program installed, ask yourself this question: When was the latest time you used it?

When I try to answer that question, I have to think back about three years ago when I wanted to watch a live, streaming video on some U.S. government Web site that didn’t offer any other formats. If I recall correctly, I was able to stream the file with VLC player, a free media player that also can play most RealPlayer content. Before that, I think the last time I got close to using RealPlayer was after my dad died in 2003. I was going through his PC and found that he’d copied to his hard drive a ton of old CDs that I used to hear him listen to quite a bit. I was getting ready to copy them to a removable USB drive (on some Windows 98 systems this is not such an easy task), but when I discovered they were all in Real format, I decided just to wipe the system clean.

If, however, you think you still need this program, then it’s time to update it. RealNetworks has shipped a critical update for RealPlayer on all supported operating systems. The latest version fixes at least 11 serious flaws that could let an attacker seize control over your system just by getting you to view a poisoned .rm file. The latest version is available here.



  1. This is important for another reason: many of us use RealAlternative, which lets us play Real Media without all the advertising and crap associated with Real Player.

    I guess it’s time to uninstall that, and just do without both of the Web sites that still use the format.

  2. Oh, God! Is realplayer still around? I thought that program was put out to pasture a long time ago. It was the most ad-laden, ill-conceived app I ever had the displeasure of using. And I agree, VLC does, indeed, rock!

  3. Interestingly, just this morning I signed up for a webcast, on Security, that requires either Windows Media Player, or Real. Since I’m on a Mac I’ll choose Real. But I’m doing the upgrade now, from 11.01 to 11.1.

    Thanks for the ‘heads up’, Brian.

  4. This is what I would say is a fundamental problem with how we use computers these days. Too much emphasis on “coolness” – very little thought given to security and keeping the bad guys out.

    Some of these updates take a considerable amount of time to install, and then you have to reboot afterwards. I am working on my laptop now, and I bet that when I am done with the current one it will want to reboot for some idiotic reason.

    But these are all work machines, so I guess you could say that I get paid to do it. But it isn’t productive work in that it doesn’t involve anything that would directly help a customer or make our product more appealing to customers..

    At home, we have a little netbook with Ubuntu on it. It too gets updates from time to time, but I am simply not as concerned about that machine as I am about any of the others.

    FWIW – I saw reports this morning from our company (to remain nameless) that we have had infections caused by malicious pdf files.

  5. Thanks for the information

  6. Brian,

    You mentioned Java as an optional program above. I noticed that after installing their recent version 6 update 18 that I have several Java console Add-ins for Firefox installed now, which correspond to older versions (Java Console 6.0.16, Java Console 6.0.17, Java Console 6.0.18).

    Do you know if these older consoles pose security risks (i.e. that programs can indicate which version of Java to use)? I thought Java was removing older versions on the update process.


  7. Josef — I don’t know the answer to your question, but it’s a good one and I’ll be happy to put it to someone at Sun.

  8. If you’re a home user, then Secunia PSI – http://secunia.com/vulnerability_scanning/personal/ – is an excellent tool for tracking the patch levels of installed applications and helping you to keep them up-to-date. There’s also an online scanner at http://secunia.com/vulnerability_scanning/online/ if you don’t want to install anything.

  9. Your update link at the bottom of the page (http://service.real.com/realplayer/security/01192010_player/en/) is the advisory page rather than an update page. I’m sure your readers are intelligent enough to scroll down to the “Instructions” section to find the update link to their OS. The users I’m responsible for would just be confounded if they saw that page, so I’m telling them to update thus (copied from the bottom of this page http://real.custhelp.com/app/answers/detail/a_id/3208):
    1. Open RealPlayer and click the Tools menu, then Preferences.
    2. In the Category pane on the left side, click AutoUpdate.
    3. Click the Check for Update now button.

  10. While I agree that VLC Player kicks butt, and has been on my machine for several years, I have to ask myself….

    1. How often do they do security updates?
    2. What makes VLC more secure than, say, RealPlayer? 3. Does VideoLAN commit any resources to keeping its player safe?

    I am more than happy to remove RealPlayer from my system to patch up any forgotten or unused holes, but am not sure that VLC doesn’t have its own list of potential weaknesses.

  11. The NASA website still uses RealPlayer for streaming. The website says that streaming is provided by Yahoo and that you need to use RealPlayer or Windows Media Player.

    WMP for Windows users and RealPlayer for Macs. I use Windows XP and have never been able to view NASA streams with WMP, I always have to use RealPlayer.

  12. How about Real Alternative?


    It takes up less room that its namesake. I only used Real for music streams that, for whatever reason, use the Real format. RealAlt performs the function with none of the baggage.