RealPlayer Bitten Hard by ActiveX Bug

By Ryan Naraine  |  Posted 2008-03-10 Print this article Print

RealPlayer users running Internet Explorer are sitting ducks for drive-by malware downloads.

The widely deployed RealPlayer software is vulnerable to a heap corruption vulnerability that could put Windows users at risk of code execution attacks, according to a warning from a security researcher.

Elazar Broad, a hacker who has led an all-out assault on buggy ActiveX controls in popular software products, has issued an alert for the latest RealPlayer hiccup, warning that RealPlayer users running Internet Explorer are sitting ducks for drive-by malware downloads.

The vulnerability, released as zero-day (before a patch is available) on public mailing lists, was discovered in the RealAudioObjects.RealAudio (rmoc3260.dll) ActiveX control that ships with all versions of RealNetworks' flagship media player.

According to Broad, who was recently credited with finding ActiveX security issues affecting MySpace and Facebook, it is possible to modify heap blocks after they are freed to overwrite certain registers.  This bug could be exploited to execute arbitrary code, he warned.

The bug affects "rmoc3260.dll" Version

It is not the first time a security hole has popped up in the "rmoc3260.dll" ActiveX control.  In November 2007, researchers at IBM's ISS X-Force issued an advisory to warn of a denial-of-service issue that could be exploited in tandem with Internet Explorer to crash the RealPlayer application.

RealNetworks has found it difficult to keep pace with a myriad of security problems in its media player.  According to data culled from the U.S. CERT (Computer Emergency Readiness Team), numerous ActiveX bugs in RealPlayer have been reported over the last 12 months.

The company has also found itself between a rock and a hard place over the disclosure of RealPlayer zero-day flaw by Gleg, a Russian security research company. Gleg released an exploit for the bug last December in a a subscription-only exploit package but refused to share information on the vulnerability with RealNetworks. That vulnerability remains unpatched.

Exploit code for the ActiveX issue is not yet public but, in the absence of a patch from RealPlayer, security experts recommend disabling the buggy control by setting the killbit for the following ClassIDs:

  • 2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93
  • CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA
This Microsoft KB article explains how to stop an ActiveX control from running in Internet Explorer.

The U.S. CERT recommends disabling ActiveX controls from running by default.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel