Optimal Security : the Lumension Blog

About a hundred years ago (in Internet terms … so, a couple of years back), I learned about RealPlayer the hard way. Despite the warnings from my friend and all-around knowledgeable good guy Tim, I installed it on my lappie so I could play some interesting bit of fluff from the Internet. I then spent a couple of days trying to get it to a) work and b) allow me to work. [And now I see that it won an “award” for this bad behavior.] Finally, I dumped it (which required, as I recall, much effort) and admonished all my friends much as Tim had me (and, in most cases, with equal effectiveness).

I must say that RealPlayer really hasn’t been in my realm of consciousness lately, save a brief thought a couple weeks back on this news. There are, after all, so many alternatives these days. So I was a bit surprised to learn via US CERT that an update “to address multiple vulnerabilities in several versions of RealPlayer for Windows, Mac, and Linux and several versions of the Helix Player for Linux [which could] allow an attacker to execute arbitrary code” had been released and that they (US CERT) recommended that “users and administrators to review the RealNetworks, Inc. advisory and apply any necessary updates to help mitigate the risks.”

For those who want a nice synopsis, check out Ryan Naraine’s post RealPlayer haunted by 11 critical vulnerabilities – the interesting bit is towards the end:

RealPlayer is a favorite target for malware writers and fraudware purveyors who rig exploits into Web pages to launch drive-by download attacks. This should be treated as a critical update for all RealPlayer users. If you don’t use the software, you are best advised to uninstall it immediately.

Others follow up on this last thought in various ways …

• ArsTechnica said: Those of you who still use RealPlayer should take note of a slew of updates intended to shut the door on some vulnerabilities.
• Brian Krebs declared: Patch it or Scratch it … Securing your computer isn’t just about making sure the doors and windows into your system are latched and patched: Sometimes, it makes more sense to simply brick up some of these entryways altogether — by getting rid of programs you no longer use.
• The H Security wrote: Since the proprietary RealMedia format is now barely used, as an alternative to installing the update, users might wish to simply uninstall RealPlayer completely. While few users still have RealPlayer installed, those who do mostly have vulnerable versions, as has been recently demonstrated by The H’s update check. During roughly 140,000 tests over a 30 day period, update check registered around 7,300 installed copies of RealPlayer versions 10.x and 11.x, of which more than 80% were vulnerable.

So, what larger lessons can we take away from this? Here are some ideas that come to mind …

• Do you know what apps are running on your network assets? If you don’t know what’s running on your endpoints, then you have no idea what your risk profile is … you have no idea what holes someone might exploit to get at your IP, your corporate data, your customers’ data. This is definitely a case where ignorance is NOT bliss.
• Is what your users have on their endpoints needed? Now that you know what is on all your endpoints, you need to decide what is needed and what is not – what has a legitimate business use or at least is within the bounds of reason, and what is illegitimate, unnecessary, illegal / illicit, or perhaps just a plain old security risk.
• And is it patched? So now that you’ve gotten rid the applications that aren’t needed or justified in your network environment, it’s time to make sure the rest are fully patched – after all, it’s almost an article of faith these days that almost 90% of all exploits take advantage of known vulnerabilities for which there is a fix, a patch. Think Conficker or, more recently, the Google Attack.

We in the IT security industry talk a lot about “reducing the attack surface” – and this recent issue involving RealPlayer seems like a good reminder to us all what that really means. We all need to take the time periodically to take stock of our network assets and do a little pruning – get rid of the detritus that builds up over time, especially in this day and age where users are accustomed more than ever to downloading apps for this or that perceived need – although in a better world we’d be doing this automatically and on an ongoing basis. By using the right tools, you can get to this better place.