Malaysian Computer Emergency Response Team

Services

Advisories Cyber999 Help Centre Malware Research Centre Incident Statistics

MyCERT Statistic

Reported Incidents based on General Incident Classification Statistics 2012

Help Centre

Reporting Channels

Definitions of Incidents

Cyber999 - Service Level Agreement

MyCERT Advisories

MyCERT Advisories, Alerts and Summaries for the year 2007

MA-120.102007: RealPlayer - ActiveX Arbitrary Command Execution

Original Issue Date: 23rd October 2007

1. Description

1.1. Overview

MyCERT had received information regarding critical vulnerabilities in RealPlayer that allow a remote attacker to execute arbitrary commands. MyCERT is aware that unknown and unpatched ActiveX vulnerability in the way RealPlayer interacts with Microsoft’s Internet Explorer browser is currently being actively exploited and proof of concept exploits for the vulnerability have been published on the Internet.

The exploitation begins when a victim browses the Web to a trusted or untrusted site that hosts ads presented by the compromised ad server; the victim gets automatically redirected to the malicious website hosting the exploit script.

The exploit script then builds a special URI and passes it to another script that determines whether or not to exploit the victim to execute malicious payload. Successful exploitation results the payload downloading and executing a trojan file (Trojan.Zonebac). It will install itself into the system and contacts a number of other sites.

1.2. System Affected

1.2.1. RealPlayer 10.5
1.2.2. RealPlayer 11 Beta
1.2.3. RealOne Player
1.2.4. RealOne Player V2

2. Recommendations

2.1. RealPlayer ActiveX Vulnerability

Since this vulnerability is being actively exploited, MyCERT strongly recommends all vulnerable systems are updated immediately via RealPlayer website:
http://service.real.com/realplayer/security/191007_player/en/securitydb.rnx

2.2. Do Not follow Unsolicited Links

Attacks involving the aforementioned vulnerabilities require user to load a specially crafted HTML document. Therefore do not click on unsolicited links received via email, forums or chat programs.

2.3. Use Alternative Browsers

MyCERT strongly recommends that in the event where a critical vulnerability involving the browser such as this occur and updates are not available, users should consider using other browsers such as Mozilla Firefox or Opera.

3. References

3.1. Symantec Security Response Weblog
http://www.symantec.com/enterprise/security_response/weblog/2007/10/realplayer_exploit_on_the_loos.html

3.2. Customer Support - Real Security Update
http://service.real.com/realplayer/security/191007_player/en/

3.3. Microsoft Support Document 240797
http://support.microsoft.com/kb/240797

3.4. Secunia Vulnerability Advisory
http://secunia.com/advisories/27248/

3.5. Open Source Vulnerability Database
http://osvdb.org/displayvuln.php?osvdb_id=34757