Exploit Released for Combined RealPlayer, IE Flaws

Researchers warn that malicious hackers could exploit two unrelated and unpatched flaws in RealPlayer and Internet Explorer to launch system bypass attacks.

Security researchers have found a way to combine two unrelated—and unpatched—vulnerabilities in RealPlayer and Internet Explorer to launch malicious hacker attacks on PCs.

According to an advisory from Secunia, exploit code that could be used for system bypass attacks has been released on the Web, potentially putting millions of RealPlayer users at risk.

The RealPlayer flaw, which has been confirmed on RealPlayer 10.5 (build, is caused by the way the RealMedia ".rm" files can open local files in the built-in browser.

Secunia said a malicious hacker could create a Web site to load an HTML document in a local context via a specially crafted RealMedia file.

Used together with the known Internet Explorer vulnerability, the attacker could force files to be opened automatically from the browser that ships with RealPlayer.

Secunia suggests RealPlayer users avoid opening ".rm" files from untrusted sources as a temporary workaround until vendor patches are released.

RealPlayer 10.5 is the current version of Seattle, Wash.-based RealNetworks Inc.s flagship media player. It is available in two versions—Plus and Basic—for Windows, Mac OS X, Linux, Unix, Palm OS and Symbian OS users. RealPlayer 10.5 has an open-source equivalent called Helix player.

The Internet Explorer flaw, previously flagged as "high risk," can by exploited to hijack a vulnerable machine, conduct cross-site/zone scripting and bypass a security feature in Microsoft Corp.s Windows XP SP2.

Microsoft has confirmed the existence of the bug and has promised a fix as soon as quality control issues are addressed.

Stephen Toulouse, program manager at the Microsoft Security Response Center, says the MS05-001 update released in January lessens the risk caused by the IE flaw, but a private research firm has poked holes in that assertion.

After testing the patch that came with the MS05-001 advisory, IT security services firm GeCAD NET warned that at least one attack vector still exists and could allow the exploit of the HTML Help ActiveX control vulnerability.

GeCAD NET warned that flaw is still exploitable in Windows XP Service Pack 1 or Windows 2000 Service Pack 4, even when fully patched and up-to-date (MS05-001 included).

The use of media player software to launch malicious attacks is not entirely new. Last month, security researchers found that the newest DRM technology in Microsofts Windows Media Player was being used to deliver spyware, adware, dialers and computer viruses to unsuspecting PC users.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.