NOW READ THIS
("Security Advisory")
Submitted by: Bill Hickey
NCVA List Master
NRT-0421 Researcher Posts RealPlayer Bug Attack Code:
A noted ActiveX researcher has revealed a bug in RealNetworks' RealPlayer that could be exploited
by attackers to hijack Windows machines running Internet Explorer. The researcher, who has uncovered
other ActiveX control vulnerabilities in MySpace, Facebook, and Yahoo software in the last two months,
posted findings to the Full Disclosure security mailing list on Monday that fingered RealPlayer as
flawed. "It is possible to modify heap blocks after they are freed and overwrite certain registers,
possibly allowing code execution," the researcher said in his message to the mailing list. He also
posted proof-of-concept attack code and said he is trying to come with a working exploit. Danish
vulnerability tracker Secunia rated the RealPlayer bug as "highly critical," its second-highest
ranking, and it said that the flawed ActiveX control - the "rmoc3260.dll" file is the culprit - can
be exploited by the usual method of tricking users into visiting malicious or compromised web sites.
Secunia confirmed the vulnerability, and added that at minimum, the newest build of RealPlayer 11
is buggy. Other earlier versions may be, too. Because the bug is an ActiveX control, only IE
users are at risk. ActiveX, though widely used by Microsoft to add functionality to its browser,
has been plagued with a huge number of vulnerabilities. According to Symantec Corporation, 89% of
the more than 230 browser plug-in bugs tallied in the first half of 2007 were ActiveX flaws. Some
security professionals, in fact, have called for users to ditch ActiveX. Last month, US-CERT did
just that: "US-CERT encourages users to disable ActiveX controls as described in the Securing Your
Web Browser document," the organization advised. There is no patch for the RealPlayer vulnerability,
but technically astute users can edit the Windows registry to set the "kill bit" for the flawed
control. Another alternative, said the SANS Institute's Internet Storm Center, is to switch
browsers; Firefox and Opera, for instance, do not rely on ActiveX.
(ComputerWorld 11MAR08)