Elazar Broad, who isolated a heap overflow flaw in an ActiveX control running on RealPlayer, also has created an exploit, he said. Vulnerability tracking firm Secunia rates the bug -- which was announced on Monday -- as “highly critical,” according to an advisory.
Broad has not publicly released the exploit code, instead choosing to give Real Networks, which provides the RealPlayer, time to deliver a patch, he said.
“This bug can potentially be exploited to execute arbitrary [code] in the context of the user running the vulnerable application, in this case, through Internet Explorer,” Broad said.
Ryan Luckin, a Real Networks spokesman, said on Tuesday that the company is “actively looking into this and will provide more information as it becomes available.”
Over time, hackers have shifted their focus to finding holes in popular client-side software, said Eric Schultze, chief technology officer of Shavlik Technologies, a patch management firm.
“I think we've seen fewer server-side vulnerabilities, things that could lead to worms, in general, because Microsoft has done a better job of locking down the operating system,” he said. “So people have turned all their attention to client-side vulnerabilities.”
Cross-platform multimedia players are one of those susceptible third-party, client-side applications.
“Let's face it, media players are popular,” Broad told SCMagazineUS.com in an email. “Apple's QuickTime and Real Networks' RealPlayer hold a lion's share of this market. Additionally, many free and open source players are making their way in as people are looking for leaner, meaner players with less bloat than the more popular commercial ones. That means that many people have these players installed, making it a big fat target for the criminally minded and the vulnerability research community.”
Broad said applications such as RealPlayer often fall victim to code reuse, meaning the same piece of code may be included in many parts of the application. But if it needs fixing, some pieces may be overlooked.
“What usually ends up happening is that the same piece of vulnerable code is reused across many modules and classes, which makes it harder to root it all out, even when doing a code audit,” he said. “Hence, more bugs, and…it seems that media players are the fad now. I am sure that will change over time though.”
Businesses should ensure that end-users update to the latest version of RealPlayer, once it is released, to correct the vulnerability. Real Networks does not issue patches, which would be easier for organizations to distribute to desktops than re-releasing the entire product, Schultze said.
“It's not a particularly enterprise-friendly item to patch,” he said.
In lieu of a fix, Broad suggests users set the kill bit for the affected ActiveX control.