MS-ISAC ADVISORY NUMBER:
2007-021

DATE(S) ISSUED:
10/19/2007

SUBJECT:
Unpatched RealPlayer ActiveX Component Exploitation

OVERVIEW:
RealPlayer is a product used to listen to audio files or to view videos files. A new vulnerability in RealPlayer is currently being exploited on the Internet. The vulnerability can be exploited if a user visits a malicious web site or opens a malicious email. If the vulnerability is successfully exploited, the attacker will have the same rights as the logged-on user. This may allow the attacker to take complete control of the affected system.

Note that there is currently no patch for this vulnerability.

SYSTEMS AFFECTED:
Real Networks RealPlayer Versions:

  • 6.0.14.544
  • 6.0.14.550 (11 Beta)
  • 6.0.12.1662 (10.5)
  • 6.0.12
  • 6.0.11
  • 6.0.10

RISK:
Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

DESCRIPTION:
RealPlayer is a multi-platform media player by RealNetworks that is capable of playing a number of different multimedia formats including MP3, MPEG-4, QuickTime, Windows Media and multiple versions of proprietary RealAudio and RealVideo codecs.

A new unpatched vulnerability has been discovered in RealPlayer that is currently being exploited on the Internet. The vulnerability is in the RealPlayer ActiveX control. The vulnerability can be exploited if a user visits a malicious web site or opens a malicious HTML email. If the vulnerability is successfully exploited, the attacker will have the same rights as the logged-on user. This may allow the attacker to take complete control of the affected system.

A successful attack would corrupt memory and execute arbitrary code providing the attacker with the same privileges as the logged-on user. If the user is logged-on with administrative privileges, the attacker can take complete control of the affected system, add/modify or delete user accounts and programs.

It should be noted that there is currently no patch for this vulnerability. Symantec Deepsight has reported that malicious content which exploits this vulnerability is hosted by servers at the following IP addresses:

  • 83.149.65.105
  • 66.199.254.193

RECOMMENDATIONS:
We recommend the following actions be considered:

  • Set the kill bit on the Class Identifier (CLSID) {FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}; further instructions on how to set the kill bit can be found at the following location ( http://support.microsoft.com/kb/240797(New Window) )
  • Ensure that all Microsoft Internet Explorer clients are configured to prompt before executing Active Scripting. If Active Scripting is not required it should be disabled completely.
  • Ensure that all Microsoft Outlook and Outlook Express clients are configured to either display all incoming email in plain text format, or that HTML email messages are opened in the Restricted Sites security zone.
  • Blocking access to the IP addresses listed above unless there is a business need to do otherwise. Be advised that this is a temporary fix as the IP addresses may change.
  • Do not visit unknown or un-trusted Web sites or follow links provided by unknown or un-trusted sources.
  • Configure Internet Explorer to prompt before running ActiveX Controls or disable ActiveX controls in the Internet Zone.
  • Install the appropriate vendor patch as soon as it becomes available after appropriate testing.

REFERENCES:
Security Focus:
http://www.securityfocus.com/bid/26130(New Window)

Microsoft:
http://support.microsoft.com/kb/240797(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.