RealPlayer Bitten Hard by ActiveX Bug
Cybersecurity
SHARE
Facebook X Pinterest WhatsApp

RealPlayer Bitten Hard by ActiveX Bug

Written By
Ryan Naraine
Ryan Naraine
Mar 10, 2008
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

The widely deployed RealPlayer software is vulnerable to a heap corruption vulnerability that could put Windows users at risk of code execution attacks, according to a warning from a security researcher.
Elazar Broad, a hacker who has led an all-out assault on buggy ActiveX controls in popular software products, has issued an alert for the latest RealPlayer hiccup, warning that RealPlayer users running Internet Explorer are sitting ducks for drive-by malware downloads.
The vulnerability, released as zero-day (before a patch is available) on public mailing lists, was discovered in the RealAudioObjects.RealAudio (rmoc3260.dll) ActiveX control that ships with all versions of RealNetworks’ flagship media player.
According to Broad, who was recently credited with finding ActiveX security issues affecting MySpace and Facebook, it is possible to modify heap blocks after they are freed to overwrite certain registers. This bug could be exploited to execute arbitrary code, he warned.
The bug affects “rmoc3260.dll” Version 6.0.10.45.
It is not the first time a security hole has popped up in the “rmoc3260.dll” ActiveX control. In November 2007, researchers at IBM’s ISS X-Force issued an advisory to warn of a denial-of-service issue that could be exploited in tandem with Internet Explorer to crash the RealPlayer application.
RealNetworks has found it difficult to keep pace with a myriad of security problems in its media player. According to data culled from the U.S. CERT (Computer Emergency Readiness Team), numerous ActiveX bugs in RealPlayer have been reported over the last 12 months.
The company has also found itself between a rock and a hard place over the disclosure of RealPlayer zero-day flaw by Gleg, a Russian security research company. Gleg released an exploit for the bug last December in a a subscription-only exploit package but refused to share information on the vulnerability with RealNetworks. That vulnerability remains unpatched.
Exploit code for the ActiveX issue is not yet public but, in the absence of a patch from RealPlayer, security experts recommend disabling the buggy control by setting the killbit for the following ClassIDs:

  • 2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93
  • CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA

This Microsoft KB article explains how to stop an ActiveX control from running in Internet Explorer.
The U.S. CERT recommends disabling ActiveX controls from running by default.
Ryan Naraine
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information