The title should have read "IE + ActiveX = Security hole"

Realplayer was a good thing when it started, I used it for quite a few projects because of the html linking and authoring aspects. The only other thing available at the time was the WMV generator from MS, and apart from it not having any capabilities other than format conversion, it was from MS, so I steered clear.

Too many people jump on the "slag Realplayer" meme today, who have never used it or produced with it, just because it's "funny". I was doing online video over 6 years ago, before flash became the ubiquitous method it is today. For the price and the capability, Real was the best option.

But no, it's easier to have a go at Realplayer for what is essentially the same old MS problem, allowing a public interface to affect private resources. I seem to remember Windows Media player having many similar flaws to this one, and probably still does.

Essentially, if I had the time over again, I would still pick realplayer over WMP, in the same way as I jumped straight onto Phoenix/Firebird/Firefox. Separate the components, and limit the damage. Remember, realplayer doesn't need to be running for this exploit to work, so what's at fault ? IE , the ActiveX model or Realplayer ?

The fourth option is: get rid of Real Player. THis is mostly an ad streamer anyway...

The real solution would be for websites to just offer proper files for direct download and local playback. You can still start playing the file as it downloads, but you then have none of the disadvantages of streams, such as the ability to accidentally lose connection midway through, and then have to re-start at the beginning. Then, just us an external player for the mpeg[1,2,4] file.

Incidentally, I'd love to see a "Plug me not" extension for firefox, which does the same as konqueror: all plugins are replaced by a button, and the plugin is only started on request. Eg flash,java,etc are too useful to uninstall, but they should only run when prompted. Flash adverts should never run, even when running a flash plugin to display content on that page.

Fool. Now what's your question ??

so how does one "set a killbit in FDC7A535-4070-4B92-A0EA-D9994BCC0DC5"

Look at all these cool people declaring that they've not used real player since 1859, and that they all use FF because it is 'teh 1337'... how cool are they?

The fact remains that different browsers offer different benefits, different media playser the same. It is stupid to claim your choice is better than anyone elses. The point people should be making is

"Telling people to turn on prompting before using ActiveX functions? Who doesn't?"

Come on puppies... the vast majority of the IT managers reading and posting here use FF because their kids suggested it anyway. It doesn't make you any less pathetic, especially since FF is still very buggy. Out of the thousands of available browsers (not including using LWP to make your own) why do you think there are only three or four in contention? Because you all do what you're told, and suffer for it when an exploit is released

IIrc Real Player was considered to be malware/spyware and while they claimed to have cleaned up their act. I never really considered trusting them on it.

Install Media Player Classic and Real Alternative (which includes MPC anyway). Now you can still decode Real media streams, files, etc.

I install CCCP which includes MPC, and then install Real Alternative Lite, which doesn't include MPC. That way CCCP has pre-configured MPC and it mostly Just Works for just about anything.

Real Player has always been risky - I remember 9 years ago when many in the UK were still on penny-a-minute dialup people were getting inflated phone bills because it was putting the PC on line without asking so it could report content used. Happened to someone I knew as well as the many reports on the net. At that time I uninstalled it because it stopped my PC defragging.

Ever since it has caused people problems.

Someone asked :" what's at fault ? IE , the ActiveX model or Realplayer ?" Simple - if your app causes a security hole when used with the most common browsing setup then its your fault.

,', RealPlayer = 0

I use FF and other media players but they don't work reliably (eg in FF you cannot adjust the player volume on the embedded player page). It just seems easiest to use IE and then, as explicitly recommended on the BBC website (where the player's download link is pointed to), Realplayer free.

@Richard Neill: "Incidentally, I'd love to see a "Plug me not" extension for firefox, which does the same as konqueror: all plugins are replaced by a button, and the plugin is only started on request. Eg flash,java,etc are too useful to uninstall, but they should only run when prompted. Flash adverts should never run, even when running a flash plugin to display content on that page."

I believe Adblock does this for Flash, unfortunately I haven't (yet) seen the same thing for Java applets etc.

I have Real Alternative and Media Player Classic installed. When installing, it gives you the option to integrate with Firefox, and when you open the RadioPlayer window, there is an option to 'Open in standalone player' which pops up Media Player Classic. Works just fine for me.

RealNetworks has issued a patch for this vulnerability that users can download here - http://service.real.com/realplayer/security/191007_player/en/

For more information about these patches and how the new RealPlayer has been improved, please visit the RealPlayer blog at www.realplayer.com/blog.

Matt Spragins

Real Networks