IE users beware: RealPlayer zero-day flaw under attack

Hackers are actively exploiting a zero-day hole in RealNetworks' RealPlayer media player, a software program installed on tens of millions of Windows computers worldwide.
Written by Ryan Naraine, Contributor

(See updates below with confirmation from RealNetworks and plans for an emergency RealPlayer patch)

Hackers are actively exploiting a zero-day hole in RealNetworks' RealPlayer media player, a software program installed on tens of millions of Windows computers worldwide.

The in-the-wild attacks, which began late last night (October 18), targets a previously unknown and unpatched ActiveX vulnerability in the way RealPlayer interacts with Microsoft's Internet Explorer browser.

The flaw is causing drive-by malware downloads when an IE user simply browsers to a maliciously rigged Web page, according to an alert issued by Symantec DeepSight Threat Management System.

The issue affects an ActiveX object installed by RealPlayer, accessible over the web using Internet Explorer. By instantiating the object and invoking a specific method and attacker is able to corrupt process memory and execute arbitrary code with the privileges of the browser. The attack currently known to be in-the-wild has been confirmed to download malicious code to the compromised host.

[ GALLERY: How to use Internet Explorer securely ]

According to sources tracking this threat, the attacks are limited in nature and appear to be targeting specific organizations. Some government agencies, including NASA, have reportedly banned the use of Internet Explorer in response to this incident.

"The malware appears to be spreading through a large variety of common and highly-respected Internet sites, however it does not appear these sites are themselves infected. The affected sites are serving solely as a mechanism to attract potential victims."

Confirmed vulnerable: RealPlayer versions, (11 Beta), (10.5), 6.0.12, 6.0.11, and 6.0.10.


In the absence of a patch from RealPlayer, users might want to consider uninstalling the software immediately. Or, use an alternative Web browser (Mozilla Firefox or Opera) for Web surfing.

Symantec also recommends:

  • Block access to the IPs and, as these IP addresses were observed partaking in the attack and have also been observed by honeypots perpetrating other malicious activity.
  • Set the kill bit on the Class identifier (CLSID) FDC7A535-4070-4B92-A0EA-D9994BCC0DC5 (Microsoft instructions for setting kill bit).
  • Ensure that all Microsoft Internet Explorer clients are configured to prompt before executing Active Scripting. If Active Scripting is not required it should be disabled completely.
  • Ensure that all Microsoft Outlook and Outlook Express clients are configured to either display all incoming email in plain text format, or that HTML email messages are opened in the Restricted sites security zone.
  • As most vulnerabilities of this nature rely on JavaScript to carry out exploitation, disable JavaScript whenever possible.
  • Always execute web browser software as a user with minimal system privileges.

[ UPDATE: October 19, 2007 @ 1:21 PM ] While there is no information on the actual vulnerability in play here, I've found this Milw0rm exploit that discusses an unpatched ActiveX hole affecting RealPlayer.

According to the RealNetworks security updates page, the company hasn't shipped a patch since March 22, 2006.

[ UPDATE: October 19, 2007 @ 5:05 PM ] Via Symantec DeepSight, a step-by-step description of how an attack takes place.

  1. The attacker compromises an advertisement server so that an IFRAME that redirects victims to a malicious Web page is appended to advertisements.
  2. A victim browses the Web to a trusted or untrusted site that hosts ads presented by the compromised ad server. The victim gets redirected to the malicious website hosting the exploit script.
  3. The exploit script then builds a special URI and passes it to another script that determines whether or not to exploit the victim.
  4. The second script attempts to exploit the victim to execute a malicious payload.
  5. Successful exploitation results the payload downloading and executing the hxxp:// executable file.
  6. The executable (Trojan.Zonebac) then installs itself into the system and contacts a number of other sites.

[ UPDATE: October 19, 2007 @ 8:06 PM ] Via e-mail RealNetworks spokesman Ryan Luckin says an emergency fix will be available later today to address this vulnerability.

Those users with RealOne Player, RealOne Player v2, and RealPlayer 10 should upgrade immediately to RealPlayer 10.5 or RealPlayer 11 and install the patch to ensure this security vulnerability is addressed.

[ UPDATE: October 20, 2007 @ 10:58 AM ] The RealPlayer patch is now available for download.

There are reports circulating that the exploit code was embedded in advertisements served by 24/7 Real Media, a high-profile digital marketing company.

Editorial standards