New Vulnerability in Internet Explorer RealPlayer ActiveX Software

Windows Security : New Vulnerability in Internet Explorer RealPlayer ActiveX Software

Posted by Max on 2008/3/11 15:06:18 (1264 reads)

The very popular RealPlayer software is vulnerable to a heap corruption vulnerability that could put Windows users at risk of code execution Trojans , according to a warning from a security researcher.

Elazar Broad, a hacker who has led an all-out assault on buggy ActiveX controls in popular software products, has issued an alert for the latest RealPlayer glitch, warning that RealPlayer users running Internet Explorer are sitting ducks for drive-by malware downloads.

The vulnerability, released as zero-day (before a patch is available) on public mailing lists, was discovered in the RealAudioObjects.RealAudio (rmoc3260.dll) ActiveX control that ships with all versions of RealNetworks' flagship media player.

According to Broad, who was recently credited with finding ActiveX security issues affecting MySpace and Facebook, it is possible to modify heap blocks after they are freed to overwrite certain registers. This bug could be exploited to execute arbitrary code, he warned.

The bug affects "rmoc3260.dll" Version 6.0.10.45.

It is not the first time a security hole has popped up in the "rmoc3260.dll" ActiveX control. In November 2007, researchers at IBM's ISS X-Force issued an advisory to warn of a denial-of-service issue that could be exploited in tandem with Internet Explorer to crash the RealPlayer application.

RealNetworks has found it difficult to keep pace with a myriad of security problems in its media player. According to data culled from the U.S. CERT (Computer Emergency Readiness Team), numerous ActiveX bugs in RealPlayer have been reported over the last 12 months.

The company has also found itself between a rock and a hard place over the disclosure of RealPlayer zero-day flaw by Gleg, a Russian security research company. Gleg released an exploit for the bug last December in a a subscription-only exploit package but refused to share information on the vulnerability with RealNetworks. That vulnerability remains unpatched.

Exploit code for the ActiveX issue is not yet public but, in the absence of a patch from RealPlayer, security experts recommend disabling the buggy control by setting the killbit for the following ClassIDs:

* 2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93
* CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA

This Microsoft KB article explains how to stop an ActiveX control from running in Internet Explorer.

The U.S. CERT recommends disabling ActiveX controls from running by default.

Previous article - Next article

Other articles
2009/7/1 13:22:13 - Ultimate Firewall : Location Aware WLAN Firewall by Trapeze Networks
2009/6/28 16:04:09 - New Panda 2010 Ultra-Ligh Security Products
2009/6/24 17:08:30 - Red Condor's Spam Trip Wire Detects a New Computer Virus
2009/6/22 4:32:25 - Finjan's Research Unveils Botnet Trading Platform for Hacked PCs
2009/6/22 4:23:14 - Panda GateDefender Integra Delivers 'Plug and Protect' UTM Security Appliance
2009/6/16 15:42:26 - SanDisk Cruzer Enterprise Wins 2009 Product Innovation Award
2009/6/9 9:02:20 - Weekly $100 Sweepstake Launched By BestSecurityTips.com
2009/6/8 11:29:49 - Paretologic Released a New Free Online Malware Scan
2009/6/8 11:13:17 - New Release of Djigzo Open Source Email Encryption Gateway
2009/5/31 17:27:39 - New BitDefender Online Scanner Released

The comments are owned by the poster. We aren't responsible for their content.