StopBadware has released an alert identifying RealPlayer as badware. See our press release here and the complete alert here.

Interestingly, RealPlayer 10.5 and RealPlayer 11, both of which are distributed widely, both violate our badware guidelines, but in different ways.

RealPlayer 10.5 is badware because it doesn’t tell the user that its “Message Center” feature will pop up ads from the system tray if the user doesn’t register the application.

RealPlayer 11 is badware because it installs the Rhapsody Player Engine without notifying the user. When the user uninstalls RealPlayer, Rhapsody Player Engine is left behind, unless the user also knows to uninstall it separately.

RealNetworks, Inc., the publisher of RealPlayer, has been upfront about these behaviors in our conversations with them. They point out that version 11 does not install the ad-serving Message Center by default, and they acknowledge that it was a mistake on their part to not offer to uninstall Rhapsody Player Engine when uninstalling RealPlayer 11. We expect that the next version of RealPlayer will correct the issue and provide better disclosure, and we encourage RealNetworks to work with their downstream partners to ensure that older versions are replaced by the new version.

The bad guys who spread badware for fun and/or profit have a new way to infect your computer: load badware onto digital photo frames, hard drives, and other devices that you’re likely to take home and plug into your PC. Deborah Gage at the San Francisco Chronicle has a great write-up about some infected photo frames sold just before Christmas at major U.S. retailers.

The usual precautions (up-to-date anti-virus and anti-spyware software, up-to-date firewall, all OS and application updates installed) apply here, as these would thwart or reduce the impact of most attacks of this sort.

Brian Krebs at the Washington Post points out an update available to Sun Java, which many PC users have installed, even if they don’t realize it. The update reportedly includes a number of security fixes.

Brian’s post provides instructions on how to check if you have Java installed and how to update it and remove your previous version(s).

Many home and small business users have a wired or wireless router that allows them to share their high-speed internet connection and that helps to protect their network.

According to a report from security vendor Symantec, failing to secure your router with a custom password can, with some help from badware delivered to your PC, lead to a pretty big security threat. This has already been demonstrated “in the wild” by an attack targeting Mexican internet users.

The solution, according to the Symantec report, is fairly simple: change your router’s password from the default to something you’ll remember. (Most major router vendors provide an instruction manual explaining how to log into the router and change the password.)

Security vendor Websense has released a report showing that half of the malware-distributing websites it examined in the second part of 2007 were otherwise legitimate sites that had been hacked. The report points to unpatched software vulnerabilities and problems on shared hosting servers as key infection points for hacked sites.

For the many owners of hacked websites StopBadware has worked with over the past year, the fact that so many other sites are in the same predicament is slim consolation for the damage caused. Many owners of small business, nonprofit, and interest-based sites are what we at StopBadware have come to call “consumer webmasters” – website owners who’ve taken advantage of easy and cheap hosting plans and the simplicity of many content management systems to create fully functioning websites without needing technical skills. When a consumer webmaster’s site is hacked, he or she has no technical staff to turn to, and may not even know where to look online for help.

If you’re a website owner, don’t wait until your site is hacked to find help. Talk with your web hosting provider about their security precautions, and ask them how they’d handle a malicious attack. Look for user forums for the software you use to manage your site, and make sure you’ll be one of the first to know when there are new security updates. Finding a network of others working with the same website setup will mean you have peers to turn to if your site ever does run into problems.

Of course, StopBadware’s own resources are also available. Our security tips for webmasters is designed for owners of any site, whether or not it has been the victim of a hacking attack. And our discussion group is a growing community where webmasters (and any internet user) can seek help and advice. For every internet user, the hacking of legitimate websites is a reason for caution. Even trusted sites can be attacked, so it’s important to protect your computer regardless of where your web surfing takes you. If you don’t know where to begin, start at our help pages on badware.