RealPlayer: More ActiveX security headaches
RealPlayer has a another ActiveX vulnerability that leaves Windows users on IE at risk.
Elazar Broad, who frequently flags ActiveX problems, issued an alert Sunday on message board lists. Broad is currently working on an exploit for it.
Hash: SHA1
Who: Real Networks http://www.real.com
What: Real Networks Real Player is a popular media player.
How: Real Player utilizes an ActiveX control to play content within the users browser.
rmoc3260.dll version 6.0.10.45 {2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93} {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA}
It is possible to modify heap blocks after they are freed and overwrite certain registers, possibly allowing code execution. Like so:
- ------------ var buf = ''; while (buf.length < 1005) buf = buf + 'A';
m = obj.Console; obj.Console = buf; obj.Console = m
//repeat m = obj.Console; obj.Console = buf; obj.Console = m --> Should crash here - -------------
Workaround: Set the killbit for this control. See http://support.microsoft.com/kb/240797
Fix: No official fix known
Exploit: Working on it
Elazar
As noted by Ryan Naraine, Broad is a bit of an ActiveX vulnerability hunter. Broad has also discovered ActiveX security problems with MySpace and Facebook. Why do folks keep ActiveX active?
Those using ActiveX capable browsers (read: MSIE) are vulnerable to attack, with no patch on the horizon yet.
Workarounds:
* Set killbits for: rmoc3260.dll version 6.0.10.45 {2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93} {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} But this will also remove the genuine functionality of the player. * Use a browser that doesn't support ActiveX (there's plenty of those).
More info on disabling ActiveX on IE can be found on Microsoft's site.