IE users beware: RealPlayer zero-day flaw under attack

IE users beware: RealPlayer zero-day flaw under attack

Summary: Hackers are actively exploiting a zero-day hole in RealNetworks' RealPlayer media player, a software program installed on tens of millions of Windows computers worldwide.

SHARE:

(See updates below with confirmation from RealNetworks and plans for an emergency RealPlayer patch)

RealPlayer zero-day flaw under attackHackers are actively exploiting a zero-day hole in RealNetworks' RealPlayer media player, a software program installed on tens of millions of Windows computers worldwide.

The in-the-wild attacks, which began late last night (October 18), targets a previously unknown and unpatched ActiveX vulnerability in the way RealPlayer interacts with Microsoft's Internet Explorer browser.

The flaw is causing drive-by malware downloads when an IE user simply browsers to a maliciously rigged Web page, according to an alert issued by Symantec DeepSight Threat Management System.

The issue affects an ActiveX object installed by RealPlayer, accessible over the web using Internet Explorer. By instantiating the object and invoking a specific method and attacker is able to corrupt process memory and execute arbitrary code with the privileges of the browser. The attack currently known to be in-the-wild has been confirmed to download malicious code to the compromised host.

How to use Internet Explorer securely[ GALLERY: How to use Internet Explorer securely ]

According to sources tracking this threat, the attacks are limited in nature and appear to be targeting specific organizations. Some government agencies, including NASA, have reportedly banned the use of Internet Explorer in response to this incident.

"The malware appears to be spreading through a large variety of common and highly-respected Internet sites, however it does not appear these sites are themselves infected. The affected sites are serving solely as a mechanism to attract potential victims."

Confirmed vulnerable: RealPlayer versions 6.0.14.544, 6.0.14.550 (11 Beta), 6.0.12.1662 (10.5), 6.0.12, 6.0.11, and 6.0.10.

TEMPORARY MITIGATION:

In the absence of a patch from RealPlayer, users might want to consider uninstalling the software immediately. Or, use an alternative Web browser (Mozilla Firefox or Opera) for Web surfing.

Symantec also recommends:

  • Block access to the IPs 83.149.65.105 and 66.199.254.193, as these IP addresses were observed partaking in the attack and have also been observed by honeypots perpetrating other malicious activity.
  • Set the kill bit on the Class identifier (CLSID) FDC7A535-4070-4B92-A0EA-D9994BCC0DC5 (Microsoft instructions for setting kill bit).
  • Ensure that all Microsoft Internet Explorer clients are configured to prompt before executing Active Scripting. If Active Scripting is not required it should be disabled completely.
  • Ensure that all Microsoft Outlook and Outlook Express clients are configured to either display all incoming email in plain text format, or that HTML email messages are opened in the Restricted sites security zone.
  • As most vulnerabilities of this nature rely on JavaScript to carry out exploitation, disable JavaScript whenever possible.
  • Always execute web browser software as a user with minimal system privileges.

[ UPDATE: October 19, 2007 @ 1:21 PM ] While there is no information on the actual vulnerability in play here, I've found this Milw0rm exploit that discusses an unpatched ActiveX hole affecting RealPlayer.

According to the RealNetworks security updates page, the company hasn't shipped a patch since March 22, 2006.

[ UPDATE: October 19, 2007 @ 5:05 PM ] Via Symantec DeepSight, a step-by-step description of how an attack takes place.

  1. The attacker compromises an advertisement server so that an IFRAME that redirects victims to a malicious Web page is appended to advertisements.
  2. A victim browses the Web to a trusted or untrusted site that hosts ads presented by the compromised ad server. The victim gets redirected to the malicious website hosting the exploit script.
  3. The exploit script then builds a special URI and passes it to another script that determines whether or not to exploit the victim.
  4. The second script attempts to exploit the victim to execute a malicious payload.
  5. Successful exploitation results the payload downloading and executing the hxxp://66.199.254.193/ads/r.php executable file.
  6. The executable (Trojan.Zonebac) then installs itself into the system and contacts a number of other sites.

[ UPDATE: October 19, 2007 @ 8:06 PM ] Via e-mail RealNetworks spokesman Ryan Luckin says an emergency fix will be available later today to address this vulnerability.

Those users with RealOne Player, RealOne Player v2, and RealPlayer 10 should upgrade immediately to RealPlayer 10.5 or RealPlayer 11 and install the patch to ensure this security vulnerability is addressed.

[ UPDATE: October 20, 2007 @ 10:58 AM ] The RealPlayer patch is now available for download.

There are reports circulating that the exploit code was embedded in advertisements served by 24/7 Real Media, a high-profile digital marketing company.

Topics: Hardware, Browser, Microsoft, Mobility, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

94 comments
Log in or register to join the discussion
  • Wait a minute!

    According to what I've read from the
    Microsoft drones, IE is supposed to
    be "operating in a sand box".

    How is it possible to be attacked by a flaw
    while it's "in a sand box"? (unless it's a
    sand booger, of course)
    Ole Man
    • It is operating in a sandbox. And therefore this is of...

      ...no consequence for Vista users. At least that's what I conclude based on the following advice given from the blog:

      "Always execute web browser software as a user with minimal system privileges."

      Another example of why someone might want to move to Vista.
      ye
      • Changing browsers

        is a lot cheaper.
        frgough
        • But not as secure.

          Other browsers aren't run in a sandbox like IE is.
          ye
          • People should spend a lot of money for better security .

            People aren't really looking to upgrade to Vista . If anything it's high time that
            Microsoft fix it's crapware , that way users can be secure for a change .
            Intellihence
          • Then perhaps they should.

            "People aren't really looking to upgrade to Vista"

            Those who choose not to have only themselves to blame.

            "If anything it's high time that Microsoft fix it's crapware , that way users can be secure for a change"

            While I disagree with your characterization that it's crapware Microsoft already "fixed" it. It's called Vista.
            ye
          • No MS hasn't fixed the CRAPware , because it is still called Vista . <NT>

            <NT>
            Intellihence
          • BS.

            > "Those who choose not to have only themselves to blame."

            Typical MS response. "Buy our new improved OS or else it's all your fault for buying our previous piece of bovine dung software."
            Cardinal_Bill
          • How are Mac users going to take advange to the new security features...

            ...of Leopard if they don't buy it? How is it any different?
            ye
          • You are hilarious Ye

            from what I have read and understood on this thread Ye , you are saying that people
            should upgrade to Vista for better security . Leopard on the other hand said if one
            wants to upgrade to Leopard , they do so by choice , not because Tiger is insecure . I
            honestly have to tell you Ye , you truly are pathetic , and kinda stupid for thinking that
            spin would work . Nice try anyway . Have a nice day .
            The_Nutty_Zealot
          • So you want me to pay 200 buck for a check-box default?

            Please...just let the folks now how to secure XP. Buying Vista because folks won't share the solution is NOT a good PR move from Microsoft!
            nomoremicrosoft
          • So you want me to pay 200 bucks for a check-box default?

            Please...just let the folks now how to secure XP. Buying Vista because folks won't share the solution is NOT a good PR move from Microsoft!
            nomoremicrosoft
          • There's a wealth of information on the Internet re: Securing XP

            Just type "securing xp" into Google and receive pages upon pages of advice.
            ye
          • WIth other browsers

            it's not as important.
            frgough
          • That's because they're not that important.

            IE has the majority of the market.
            ye
          • Market? What market? Does Microsoft make money from IE? No? Then no market!

            Get it? Microsoft WANTED to make money from the internet with IE but it failed in it's attempt. Now the only thing making web browsers get market share is security. Mozilla/Netscape/Firefox is getting the mind share here. Don't C.R.A.P. on other browsers just because Microsoft lost their share..focus..passion!

            Microsoft....share your passion with our passion...just don't expect us to keep up!
            nomoremicrosoft
          • MS doesn't have to make money from IE in order for...

            ...marketshare to matter.
            ye
          • What is the problem?

            Everybody here seems to be treating this as an IE problem. Isn't it really yet another Active-X problem?
            JDThompson
        • Yes, but it is quicker to remove Real Player(NT)

          (NT)
          Mujibahr
        • changing browsers

          Changing browsers is not an option in some cases, not all web based programs work with Firefox for instance. I have an application that I use in my work that doesn't work under Firefox only under IE. Therefore change is not an option.
          dhays