RealPlayer: More ActiveX security headaches

RealPlayer: More ActiveX security headaches

Summary: RealPlayer has a another ActiveX vulnerability that leaves Windows users on IE at risk.Elazar Broad, who frequently flags ActiveX problems, issued an alert Sunday on message board lists.

SHARE:

RealPlayer has a another ActiveX vulnerability that leaves Windows users on IE at risk.

Elazar Broad, who frequently flags ActiveX problems, issued an alert Sunday on message board lists. Broad is currently working on an exploit for it.

Here's the message:

Hash: SHA1

Who: Real Networks http://www.real.com

What: Real Networks Real Player is a popular media player.

How: Real Player utilizes an ActiveX control to play content within the users browser.

rmoc3260.dll version 6.0.10.45 {2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93} {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA}

It is possible to modify heap blocks after they are freed and overwrite certain registers, possibly allowing code execution. Like so:

- ------------ var buf = ''; while (buf.length < 1005) buf = buf + 'A';

m = obj.Console; obj.Console = buf; obj.Console = m

//repeat m = obj.Console; obj.Console = buf; obj.Console = m --> Should crash here - -------------

Workaround: Set the killbit for this control. See http://support.microsoft.com/kb/240797

Fix: No official fix known

Exploit: Working on it

Elazar

As noted by Ryan Naraine, Broad is a bit of an ActiveX vulnerability hunter. Broad has also discovered ActiveX security problems with MySpace and Facebook. Why do folks keep ActiveX active?

SANS said the following:

Those using ActiveX capable browsers (read: MSIE) are vulnerable to attack, with no patch on the horizon yet.

Workarounds:

* Set killbits for: rmoc3260.dll version 6.0.10.45 {2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93} {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} But this will also remove the genuine functionality of the player. * Use a browser that doesn't support ActiveX (there's plenty of those).

More info on disabling ActiveX on IE can be found on Microsoft's site.

Topics: Security, Enterprise Software, Software, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

23 comments
Log in or register to join the discussion
  • MS disabled Netscape plugins in IE5.5 SP2 w/o warning

    They claimed after the fact it was for security reasons.
    ActiveX is FAR more of a problem since it was designed to
    do any and everything the operating system could do. IE
    is it's self an ActiveX control. MS could not survive without
    ActiveX, even their support for Netscapes Plugin API was
    an ActiveX control. (plugin.ocx) The file still exists on all
    machines today, even though it was disabled over 5 years
    ago.

    Problem is too many web sites now rely on ActiveX and
    thus require IE for a browser. MS by dropping support for
    Netscape plugins created this monopolistic situation where
    people are dependent on insecure solutions. We can not
    turn if off because nothing would work, not our bank
    software, not our media players, not sites built on Flash,
    not your stock trading software or medical billing software.

    Just don't user IE, EVER. Force venders to re-code their
    crap based on ActiveX, and make it cross browser cross
    platform based on accepted web standards.

    Just another fine mess MS has gotten us into!
    LittleGuy
    • Boy you are clueless

      <i>"ActiveX is FAR more of a problem since it was designed to
      do any and everything the operating system could do."</i>

      Sorry, but this is 100% wrong. Netscape plugins could do anything on the system that activeX controls can. They are (were) binary code, just like activeX controls. Netscape just happened to become obsolete before the web became a haven for malware.

      <i>IE is it's self an ActiveX control. </i>

      Ummm...no.

      <i>"Problem is too many web sites now rely on ActiveX and
      thus require IE for a browser."</i>

      I've used mozilla and firefox since before moxilla 1.0. Today I cannot think of a site I use that requires IE.

      <i>"We can not
      turn if off because nothing would work, not our bank
      software, not our media players, not sites built on Flash,
      not your stock trading software or medical billing software.</i>

      Enough with the hyperbole.
      toadlife
    • Boy you are clueless [formatting fixed]

      [i]"ActiveX is FAR more of a problem since it was designed to
      do any and everything the operating system could do."[/i]

      Sorry, but this is 100% wrong. Netscape plugins could do anything on the system that activeX controls can. They are (were) binary code, just like activeX controls. Netscape just happened to become obsolete before the web became a haven for malware.

      [i]IE is it's self an ActiveX control.[/i]

      No it's not.

      [i]"Problem is too many web sites now rely on ActiveX and
      thus require IE for a browser."[/i]

      I've used mozilla and firefox since before moxilla 1.0. Today I cannot think of a site I use that requires IE.

      [i]"We can not
      turn if off because nothing would work, not our bank
      software, not our media players, not sites built on Flash,
      not your stock trading software or medical billing software.[/i]

      Enough with the hyperbole.
      toadlife
      • WHAT?

        "Sorry, but this is 100% wrong. Netscape plugins could do
        anything on the system that activeX controls can. They are
        (were) binary code, just like activeX controls. Netscape just
        happened to become obsolete before the web became a
        haven for malware."

        The only reason you are able to do what you are doing is
        BECAUSE you are not using IE, and because every other
        browser support Netscapes Plugin API.

        Obsolete? Hardly!
        LittleGuy
        • Do what I am doing?

          What are you talking about? What am I "doing"?
          toadlife
      • Can think of a few

        "I've used mozilla and firefox since before moxilla 1.0. Today I cannot think of a site I use that requires IE."

        I can think of a few. Every bank, online shop, and all online business transactions in Korea uses ActiveX and only ActiveX. I didn't used to have this problem in Canada, but in Korea it's impossible to conduct any online business without IE.
        Necrolin
  • RE: RealPlayer: More ActiveX security headaches

    Answer: Get rid of RealPlayer. It's a malware-infested media player...
    Grayson Peddie
  • Plug-ins are vulnerable too (maybe not here)

    But whenever an application is extended to the browser your attack surface becomes just that much larger. It doesn't matter which browser you use. Yes, I know you can enable and disable plug-ins in the other browsers, but you can in IE as well without having to resort to the registry as it's built in to IE. It's not IE that is at fault here but the ActiveX control.
    dunn@...
    • Please give me an example of a Netscape API plugin attack

      I have never heard of one.
      LittleGuy
      • Here you go

        1) Write malicious netscape plug-in
        2) Have user install it
        toadlife
        • Not an example of a real malicious Netscape plugin!

          Yes they are both real client side code, but the way you
          talk no one should be allowed to install software.

          Netscapes plugin API is small and tight, ActiveX controls
          can take millions of commands or none at all, leaving
          ActiveX way more open to attack. ActiveX controls self
          install Netscape plugins users must install. That is way
          safer and cross platform.
          LittleGuy
          • What are you talking about?

            Both a binary code that executes. Neither have a sandbox around them.That's all that needs to be said

            From your post, I don't even think you understand what an API is.
            toadlife
          • I've written both activex and npi plugins

            Browsers need native code to do things, like play media
            files. This can only be done with an activex control on IE
            for Windows ONLY, or a Netscape Plugin on all other
            browsers and platforms, including IE for the Mac. Why is
            it you do not know that?

            Toadlife says:
            "I've used mozilla and firefox since before moxilla 1.0.
            Today I cannot think of a site I use that requires IE."
            Reply:
            This is what I mean by what you are doing. You don't
            seem to even know you are using Netscape plugins in
            other browsers. You seem to think they are obsolete.
            so I think you know very little about what you are talking
            about.

            Examples of IE only web sites, there are many more.
            Even FIMA was IE only.
            http://blog.wired.com/monkeybites/2006/10/this_page_re
            qui.html
            LittleGuy
          • Apologies. You are right

            You are right. Mozilla browsers still use the same plug-in architecture.

            What you are wrong about is that Netscape-style plug-ins are somehow carry less potential danger than ActiveX controls. IIRC, ActiveX controls are easier to install, which for naive users could represent an increase in danger, but ease of use should not be counted as a security vulnerability.

            As for sites that require IE. Yes, I concede that there are some. I used to visit a few. But today, there are currently no sites I can think of that I used that require IE.
            toadlife
          • @toadlife

            Try this site... http://toastytech.com/good/badsitelistframe.html

            It's kind of up to date for 2007-ish.
            zkiwi
  • All extension apis

    All extension apis that let you play outside the sandbox open up potential for security holes. For

    Firefox example see GreaseMonkey...
    Johnny Vegas
  • Accept Apologies, but you need to understand

    There is a huge difference between Netscape Plugins (NPI)
    and ActiveX (OLE) Object Linking and Embedding

    Read:
    en.wikipedia.org/wiki/Object_Linking_and_Embedding

    These things are triggered by an EMBED tag in a web page
    and passed data. NPI plugins have one and only one
    access point to accept and reject bad data. ActiveX is FAR
    more robust and if you are not really really careful can
    leave an open hole for a malicious web page. Most of
    Windows is built on this technology and there are many
    access doors, not just one.

    If I were motivated to do so, I think I could write and
    EMBED that could raise issues with existing ActiveX
    controls, I am not so confident about doing this with a NPI
    plugin.
    LittleGuy
    • A buffer overflow is a buffer overflow!

      Weather it be the "object" or "embed" tag, it's still a buffer overflow.
      toadlife
      • Yes, Yes, but

        buffer overflow is only one possible vulnerability. I guess
        you will never believe NPI is safer then ActiveX. But you
        even admit that they can self install means they are less
        safe. Why is it then that MS does not support NPI plugins
        on Windows IE. Macintosh IE support them and does not
        support ActiveX. What possible benefit is there to be
        different then everyone else and cause small developers
        like me to have to support two code bases for a less
        secure solution?

        And have have to sign off with one more link to prove to
        you the IE is an ActiveX control. Notice the last sentence
        about ActiveX controls:

        "ActiveX controls can be written in MFC, ATL, C++, Borland
        Delphi and Visual Basic. Common examples of ActiveX
        controls are the command button, list box, dialog boxes,
        and even the Internet Explorer browser."

        http://en.wikipedia.org/wiki/ActiveX
        LittleGuy
        • Interesting

          [i]"But you even admit that they can self install means they are less safe."[/i]

          Whoa now! I didn't quite say that! I said they are easier to install - as Internet explorer provides a built in "one-click" ([i]or three or four clicks in current versions[/i]) mechanism to install new controls. In my experience, Netscape plug-ins must be installed via traditional methods, which require several more steps and more know-how.

          I suppose saying something is more secure because it is harder to use is valid, but it's not particularly insightful.

          As for IE being an ActiveX control, the definition seems so broad that many Windows-based applications could be called one. I always viewed IE as a group of shared dlls tied together by iexplore.exe. If that is an ActiveX control, then...ok. Using shared common libraries is smart, so I don't see the big issue.

          The security issues with ActiveX and Windows are historically due to insecure legacy-friendly default settings, and a monoculture - not the fact that powerfully easier to use programming interfaces exist. At work, not giving end-users admin rights on their machines completely solved the "ActiveX problem" for us.

          The fatal flaw I've always seen with ActiveX is the fact that there seems to be no option for users to install them in their profile only. It's "all or nothing".
          toadlife