If you use RealNetworks’ RealPlayer software, you might want to pay close attention to this demo from the folks at Gleg Ltd., a Russian vulnerability research and exploit creation outfit.
According to Gleg founder Evgeny Legerov, there is a zero-day vulnerability that allows code execution in RealPlayer 11, the most up-to-date version of the cross-platform media player.
Legerov said the exploit was tested against RealPlayer 11 build 6.0.14.748.
Gleg released the exploit on Dec. 16 as part of its VulnDisco exploit package, which is sold to corporate penetration testing firms. Gleg partners with Dave Aitel’s Immunity to distribute vulnerability research and exploits.
According to this New York Times report by Brad Stone, Gleg sells exploits to about a dozen corporate customers around the world, with fees starting at $10,000 for periodic updates.
The US-CERT (United States Computer Emergency Response Team) has issued a flash warning for the latest RealPlayer security hiccup, which is clearly related to the Gleg exploit demo.
RealNetworks did not respond to a request for comment. Just got this note from RealNetworks spokesman Ryan Luckin:
“We are aware of this new warning that has been issued by US-CERT and our folks are investigating. Will keep you posted as we know more.“
Last October, the company was forced to rush out two security updates to fix vulnerabilities that were being used in in-the-wild zero-day attacks.