Common Tasks

Recent Posts

Community

Email Notifications

Personal Links

Archives

Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

Real Player - Zero Day Exploit circulating

Real Player - Zero Day Exploit circulating

A new zero day Real Player exploit is reported to be actively circulating which uses an ActiveX control vulnerability. Real player users the ActiveX control to determine functionality and the maliciously crafted version can allow malware to be automatically installed. Users should avoid or be careful with all Real player files until this is fixed. A killbit can be set to deactivate the ActiveX control as noted below.

Real Player - Zero Day Exploit circulating
http://www.symantec.com/enterprise/security_response/weblog/2007/10/realplayer_exploit_on_the_loos.html
http://www.avertlabs.com/research/blog/index.php/2007/10/19/realplayer-zero-day-exploit-hits-the-web/
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9043319
http://www.securityfocus.com/bid/26130

QUOTE: Attackers are exploiting a zero-day vulnerability in RealPlayer in order to infect Windows machines running Internet Explorer, Symantec Corp. said late Thursday. The security company issued an alert that rated the threat with its highest possible score.  According to a warning issued to customers of its DeepSight threat network, Symantec said an ActiveX control installed by RealNetworks Inc.'s RealPlayer program is flawed. When combined with Microsoft Corp.'s Internet Explorer (IE) browser -- which relies on ActiveX controls to extend its functionality -- the bug can be exploited and malicious code downloaded to any PC that wanders to a specially crafted site.

KILLBIT CAN BE SET: The vulnerability lies in a RealPlayer ActiveX control, and can be mitigated by setting the appropriate kill bit via the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\
ActiveX Compatibility\{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}

KB Article - How to set Killbit for ActiveX objects
http://support.microsoft.com/kb/240797

Comments

Thomas Scheidegger said:

# October 20, 2007 1:20 AM