Application security, Incident Response, Malware, Patch/Configuration Management, TDR, Vulnerability Management

In-the-wild attacks target RealPlayer zero-day flaw

Attacks are actively exploiting a zero-day ActiveX vulnerability in RealPlayer, researchers warned today.

Javier Santoyo, senior manager of emerging technologies at Symantec Security Response, said the attacks appear limited in scope, but users nonetheless should take precautions.

"It hits RealPlayer, and RealPlayer is popular," he told today. "And also it's unpatched."

When a user installs RealPlayer, the program installs a browser-helper object and an ActiveX control, which provide additional functionality when using the application in Internet Explorer. But the ActiveX control is flawed and permits attackers to pass long parameters and cause stack-based overflows, Santoyo said.

That results in the ability to execute arbitrary code and infect a victim's machine with a trojan downloader, he said.

Users can become infected when they are lured to malicious rogue websites, likely those that contain third-party advertisements containing malicious JavaScript, Santoyo said.

RealNetworks spokesman Bill Hankes told today that engineers are working on a patch "as we speak" and the company planned to provide a fix timeline today.

The vulnerability affects the most recent RealPlayer versions, 10.5 and 11, he said. The company has received no reports of compromised end-user PCs.

"We take any security vulnerability very seriously," Hankes said.

Santoyo said that in lieu of a patch, businesses can use any of several options to alleviate the threat. They can block the IP addresses used to perpetrate the attack, disable the browser prompt that permits active scripting to execute and set the kill-bit for the affected ActiveX control.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.