New Vulnerability in Internet Explorer RealPlayer ActiveX Software

Windows Security : New Vulnerability in Internet Explorer RealPlayer ActiveX Software

Posted by Max on 2008/3/11 15:06:18 (1427 reads)

The very popular RealPlayer software is vulnerable to a heap corruption vulnerability that could put Windows users at risk of code execution Trojans , according to a warning from a security researcher.

Elazar Broad, a hacker who has led an all-out assault on buggy ActiveX controls in popular software products, has issued an alert for the latest RealPlayer glitch, warning that RealPlayer users running Internet Explorer are sitting ducks for drive-by malware downloads.

The vulnerability, released as zero-day (before a patch is available) on public mailing lists, was discovered in the RealAudioObjects.RealAudio (rmoc3260.dll) ActiveX control that ships with all versions of RealNetworks' flagship media player.

According to Broad, who was recently credited with finding ActiveX security issues affecting MySpace and Facebook, it is possible to modify heap blocks after they are freed to overwrite certain registers. This bug could be exploited to execute arbitrary code, he warned.

The bug affects "rmoc3260.dll" Version 6.0.10.45.

It is not the first time a security hole has popped up in the "rmoc3260.dll" ActiveX control. In November 2007, researchers at IBM's ISS X-Force issued an advisory to warn of a denial-of-service issue that could be exploited in tandem with Internet Explorer to crash the RealPlayer application.

RealNetworks has found it difficult to keep pace with a myriad of security problems in its media player. According to data culled from the U.S. CERT (Computer Emergency Readiness Team), numerous ActiveX bugs in RealPlayer have been reported over the last 12 months.

The company has also found itself between a rock and a hard place over the disclosure of RealPlayer zero-day flaw by Gleg, a Russian security research company. Gleg released an exploit for the bug last December in a a subscription-only exploit package but refused to share information on the vulnerability with RealNetworks. That vulnerability remains unpatched.

Exploit code for the ActiveX issue is not yet public but, in the absence of a patch from RealPlayer, security experts recommend disabling the buggy control by setting the killbit for the following ClassIDs:

* 2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93
* CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA

This Microsoft KB article explains how to stop an ActiveX control from running in Internet Explorer.

The U.S. CERT recommends disabling ActiveX controls from running by default.

Previous article - Next article

Other articles
2009/11/3 14:55:39 - BitDefender Top Ten Malware Threats for October 09
2009/11/3 14:29:38 - Nov. 09 Microsoft Security Intelligence Report
2009/10/7 15:19:17 - StopSign AntiVirus and Anti-Malware is Windows 7 Compatible
2009/10/7 15:11:26 - New Outlook Backup and Migration Software By Disk Doctors
2009/9/30 4:20:57 - Microsoft Security Essentials, FREE Security Tool Just Released
2009/9/28 14:31:52 - New Rogue Antispyware Cloaked To Infects Computers
2009/9/9 4:31:49 - Trend Micro Proves Leadership in URL Filtering and Web Security
2009/9/9 4:16:20 - New Free Tool to Clean Conficker Once and For All
2009/9/1 8:37:11 - Kaspersky Internet Security 2010 and Kaspersky Anti-Virus 2010 Out Now
2009/9/1 7:54:50 - NEW P2P Advertising Network Protects Users Against Lawsuits And Identity Theft

The comments are owned by the poster. We aren't responsible for their content.