What Is It?
A remote code execution vulnerability has been discovered in an ActiveX control that is part of RealOne Player, RealOne Player v2, and RealPlayer 10.x. This type of vulnerability could allow an unknown attacker to take over your computer, by enticing you to open an infected media file in the affected player. However, Ryan Naraine's Zero Day, on ZDNet, characterizes the active attack as a "drive by malware installation." In other words, a Web advertisement opens in your browser, and code is silently installed from an IFrame hidden in the body of the advertisement.
You could be attacked, and not know it, until weeks later, when the malicious code has already done its dirty deed, and maybe even removed itself.
What Should You Do?
Depending on which Real product you use, you should take the following steps as soon as possible, certainly before you use the player again.
- RealOne Player. Do both of the following steps.
- RealOne Player v2. Do both of the following steps.
- RealPlayer, version 10.0. Do both of the following steps.
- RealPlayer, version 10.5. Apply the patch, available at http://service.real.com/realplayer/security/191007_player/en/securitydb.rnx.
- RealPlayer, version 11 (Beta). Apply the patch, available at http://service.real.com/realplayer/security/191007_player/en/securitydb.rnx.
- RealPlayer 8. This version is unaffected, but is out of date, and unlikely to be supported once RealPlayer 11 becomes production code. (RealPlayer 11 is currently in a public beta phase.) You should consider upgrading.
- RealPlayer, any version, on Apple Macintosh. This version is unaffected.
- RealPlayer, any version, on any version of Linux. This version is unaffected.
- Although the RealNetworks blog instructs users to upgrade to version 10.5, the only upgrade that seems to be available directly from Real is the 11 (beta) version. However, since this is a public beta, it's probably pretty solid.
- The basic player download is the little text link in the upper right corner of the page.
- Although the PC World article implies that you are safe if you use an alternative Web browser, such as Mozilla Firefox, because of the way Microsoft Windows works, I wouldn't count on it. Even if you designate another program as your default Web browser, applications can, and often do, invoke the WebBrowser ActiveX control, which is, for all practical purposes, Internet Explorer.
Because the flaw is being exploited by hiding the exploit code in an IFrame inside a Web advertisement, it is extremely difficult for casual users to detect.
- Main RealPlayer download page, http://www.real.com/player. Note that the basic player download is the little text link in the upper right corner of the page.
- "RealPlayer Attack Circulating," PC World, http://www.pcworld.com/article/id,138706-c,streamingmedia/article.html.
- "RealPlayer Exploit On The Loose," Symantec vulnerabilities and exploits reference pages, http://www.symantec.com/enterprise/security_response/weblog/2007/10/realplayer_exploit_on_the_loos.html.
- "RealPlayer Security Vulnerability," Real Networks Rhapsody blog, http://rws-blog.rhapsody.com/realplayer/2007/10/update---realpl.html.
- "IE users beware: RealPlayer zero-day flaw under attack," in Ryan Naraine's Zero Day, on ZDNet, at http://blogs.zdnet.com/security/?p=599.
- "RealPlayer Zero-Day Flaw Under Attack," Slashdot, http://it.slashdot.org/it/07/10/19/2054223.shtml.
|David Gray, MBA, Chief Wizard
WizardWrx, formerly P6 Consulting
||V: +1 (817) 812-3041
TZ: USA Central, GMT -5
|5006 Cloyce Court
North Richland Hills, TX 76180-6944
|Tell me what you need, and I’ll conjure it.|