On mySimon: DESERT ESSENCE Sunscreen Towelettes
BNET Business Network:
BNET
TechRepublic
ZDNet

October 19th, 2007

IE users beware: RealPlayer zero-day flaw under attack

Posted by Ryan Naraine @ 8:56 am

Categories: Black Hat, Botnets, Browsers, Data theft, Exploit code, Firefox, Hackers, Metasploit, Microsoft, Mozilla, Passwords, Patch Watch, Pen testing, Responsible disclosure, Rootkits, Spam and Phishing, Symantec, Viruses and Worms, Vulnerability research

Tags: Microsoft Internet Explorer, Web Browser, RealNetworks RealPlayer, Attack, Flaw, Web Browsers, Digital Music, Digital Media, Security, Internet

(See updates below with confirmation from RealNetworks and plans for an emergency RealPlayer patch)

RealPlayer zero-day flaw under attackHackers are actively exploiting a zero-day hole in RealNetworks’ RealPlayer media player, a software program installed on tens of millions of Windows computers worldwide.

The in-the-wild attacks, which began late last night (October 18), targets a previously unknown and unpatched ActiveX vulnerability in the way RealPlayer interacts with Microsoft’s Internet Explorer browser.

The flaw is causing drive-by malware downloads when an IE user simply browsers to a maliciously rigged Web page, according to an alert issued by Symantec DeepSight Threat Management System.

The issue affects an ActiveX object installed by RealPlayer, accessible over the web using Internet Explorer. By instantiating the object and invoking a specific method and attacker is able to corrupt process memory and execute arbitrary code with the privileges of the browser. The attack currently known to be in-the-wild has been confirmed to download malicious code to the compromised host.

How to use Internet Explorer securely[ GALLERY: How to use Internet Explorer securely ]

According to sources tracking this threat, the attacks are limited in nature and appear to be targeting specific organizations. Some government agencies, including NASA, have reportedly banned the use of Internet Explorer in response to this incident.

“The malware appears to be spreading through a large variety of common and highly-respected Internet sites, however it does not appear these sites are themselves infected. The affected sites are serving solely as a mechanism to attract potential victims.”

Confirmed vulnerable: RealPlayer versions 6.0.14.544, 6.0.14.550 (11 Beta), 6.0.12.1662 (10.5), 6.0.12, 6.0.11, and 6.0.10.

TEMPORARY MITIGATION:

In the absence of a patch from RealPlayer, users might want to consider uninstalling the software immediately. Or, use an alternative Web browser (Mozilla Firefox or Opera) for Web surfing.

Symantec also recommends:

  • Block access to the IPs 83.149.65.105 and 66.199.254.193, as these IP addresses were observed partaking in the attack and have also been observed by honeypots perpetrating other malicious activity.
  • Set the kill bit on the Class identifier (CLSID) FDC7A535-4070-4B92-A0EA-D9994BCC0DC5 (Microsoft instructions for setting kill bit).
  • Ensure that all Microsoft Internet Explorer clients are configured to prompt before executing Active Scripting. If Active Scripting is not required it should be disabled completely.
  • Ensure that all Microsoft Outlook and Outlook Express clients are configured to either display all incoming email in plain text format, or that HTML email messages are opened in the Restricted sites security zone.
  • As most vulnerabilities of this nature rely on JavaScript to carry out exploitation, disable JavaScript whenever possible.
  • Always execute web browser software as a user with minimal system privileges.

[ UPDATE: October 19, 2007 @ 1:21 PM ] While there is no information on the actual vulnerability in play here, I’ve found this Milw0rm exploit that discusses an unpatched ActiveX hole affecting RealPlayer.

According to the RealNetworks security updates page, the company hasn’t shipped a patch since March 22, 2006.

[ UPDATE: October 19, 2007 @ 5:05 PM ] Via Symantec DeepSight, a step-by-step description of how an attack takes place.

  1. The attacker compromises an advertisement server so that an IFRAME that redirects victims to a malicious Web page is appended to advertisements.
  2. A victim browses the Web to a trusted or untrusted site that hosts ads presented by the compromised ad server. The victim gets redirected to the malicious website hosting the exploit script.
  3. The exploit script then builds a special URI and passes it to another script that determines whether or not to exploit the victim.
  4. The second script attempts to exploit the victim to execute a malicious payload.
  5. Successful exploitation results the payload downloading and executing the hxxp://66.199.254.193/ads/r.php executable file.
  6. The executable (Trojan.Zonebac) then installs itself into the system and contacts a number of other sites.

[ UPDATE: October 19, 2007 @ 8:06 PM ] Via e-mail RealNetworks spokesman Ryan Luckin says an emergency fix will be available later today to address this vulnerability.

Those users with RealOne Player, RealOne Player v2, and RealPlayer 10 should upgrade immediately to RealPlayer 10.5 or RealPlayer 11 and install the patch to ensure this security vulnerability is addressed.

[ UPDATE: October 20, 2007 @ 10:58 AM ] The RealPlayer patch is now available for download.

There are reports circulating that the exploit code was embedded in advertisements served by 24/7 Real Media, a high-profile digital marketing company.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 94 Talkback(s)
RE: IE users beware: RealPlayer zero-day flaw under attack
zdnet: you people need a printer friendly button on your blogs... Yor site its eating my budget-up on me always buying printer ink,because it prints the heading,all advertisements ect...because you know have printer friendly button...... (Read the rest)
Posted by: majorafrotc@... Posted on: 07/30/08 You are currently: a Guest | | Terms of Use
Wait a minute!  Ole Man | 10/19/07
It is operating in a sandbox. And therefore this is of...  ye | 10/19/07
Changing browsers  frgough | 10/19/07
But not as secure.  ye | 10/19/07
People should spend a lot of money for better security .  Intellihence | 10/19/07
Then perhaps they should.  ye | 10/19/07
No MS hasn't fixed the CRAPware , because it is still called Vista .  Intellihence | 10/19/07
BS.  Cardinal_Bill | 10/19/07
How are Mac users going to take advange to the new security features...  ye | 10/19/07
You are hilarious Ye  Non_Zealot | 10/19/07
So you want me to pay 200 buck for a check-box default?  nomoremicrosoft | 10/19/07
So you want me to pay 200 bucks for a check-box default?  nomoremicrosoft | 10/19/07
There's a wealth of information on the Internet re: Securing XP  ye | 10/21/07
WIth other browsers  frgough | 10/19/07
That's because they're not that important.  ye | 10/19/07
Market? What market? Does Microsoft make money from IE? No? Then no market!  nomoremicrosoft | 10/19/07
MS doesn't have to make money from IE in order for...  ye | 10/21/07
What is the problem?  JDThompson | 10/22/07
Yes, but it is quicker to remove Real Player(NT)  Mujibahr | 10/19/07
changing browsers  dhays | 10/24/07
Change settings on XP. Much cheaper than a new PC with Vista on it! (NT)  nomoremicrosoft | 10/19/07
Or. . .  Suicida| | 10/20/07
Vista is unnecessary, configure XP properly...  x684867 | 10/21/07
The key words are "competent technician".  ye | 10/22/07
Dear God. I'm at risk........ oh...... wait...  shawkins | 10/19/07
M$ screwes you again  Linux Geek | 10/19/07
Except that it's:  ye | 10/19/07
Reply to Geek  justanitguy | 10/22/07
It's what they do.  ye | 10/22/07
please tell me why all of you are bashing Microsoft?  tracy anne | 10/24/07
the only OS that gets infected you must be new to computing NT  SO.CAL Guy | 10/24/07
from what i read it was real that did the screwing. wink  SO.CAL Guy | 10/24/07
realplayer's shortcomings  ncoltun@... | 10/19/07
real player  dhays | 10/24/07
The last sentance says all that is needed to say about this sploit...  Scrat | 10/19/07
Excuse me ,,,  Intellihence | 10/19/07
Oh look, you've been proved wrong again (for the gazillionth time!)  Scrat | 10/22/07
How am I wrong ?  Intellihence | 10/22/07
The technology belongs to MS, but the plug-in belongs to REAL...  Scrat | 10/22/07
"About Vista, a moron is talking"  justanitguy | 10/22/07
I find it disturbing that a MS fan would begrude Apples iPhone.  nomoremicrosoft | 10/19/07
Whoops, did you mean for the obvious typo?  Scrat | 10/22/07
How is the iPhone failing in the market ?  Intellihence | 10/22/07
ActiveX is not your friend!  techboy_z | 10/19/07
What if the bug were in a RealPlayer Firefox extension?  PB_z | 10/19/07
We can read, you know  itpro_z | 10/19/07
Good lord help us all  Non_Zealot | 10/19/07
Typo?  justanitguy | 10/22/07
RE: IE users beware: RealPlayer zero-day flaw under attack  ventasomz@... | 10/19/07
The browser is not the problem.  itpro_z | 10/19/07
Will DEP catch the exploit?  notlob | 10/19/07
Zdnet, please add filtering options for TALKBACK  Non-Zealand | 10/19/07
I honestly think ZDNET doesn't care about the filters.  None_Zealot | 10/19/07
Yes, Please filter Feedback  TechTeach_z | 10/20/07
I agree with you and TechTeach_z.  Grayson Peddie | 10/20/07
You guys don't have a clue do you ?  Intellihence | 10/22/07
Use a Mac or Linux.  phatkat | 10/19/07
Mitigation:Make FF your primary browser and install NoScript!  D. T. Schmitz | 10/19/07
P.S.  D. T. Schmitz | 10/19/07
RealPlayer? Does anybody use it anymore? (nt)  CobraA1 | 10/19/07
I use it all the time.  K B | 10/19/07
Plenty of other software will do all that  CobraA1 | 10/20/07
Real Player  dhays | 10/24/07
Cool people use RealPlayer, so get Real!  D. T. Schmitz | 10/19/07
No_Axe Was Going To Comment On This  itanalyst | 10/19/07
Ban IE? Why not just ban Real Plaguer?  flatliner | 10/20/07
The real issue here is not Real Player .  AdventTech@... | 10/20/07
because nobody spend time to search flaws for an OS used by 1% of people  qmlscycrajg | 10/20/07
FYI  Non_Zealot | 10/20/07
Please provide...  Cardinal_Bill | 10/20/07
Sue who?  Cardinal_Bill | 10/20/07
Then what are we supposed to use?  itpro_z | 10/20/07
re:Then what are we supposed to use?  Intellihence | 10/20/07
Your trusty Mac...  itpro_z | 10/24/07
Sue who?  Cardinal_Bill | 10/21/07
If you have been keeping up...  itpro_z | 10/24/07
Use LINUX and you won't have the problem  critic-at-arms | 10/22/07
We do...  itpro_z | 10/24/07
Vista is unnecessary, configure XP properly...  x684867 | 10/21/07
Amen.  x684867 | 10/21/07
People actually use real player in this day and age?  kraterz | 10/21/07
re:People actually use real player in this day and age ?  Intellihence | 10/22/07
Yes we do  jcosner@... | 10/22/07
Hard to believe isn't it with the disasters that...  JCitizen | 10/22/07
Question?  bob in FL | 10/22/07
RE: IE users beware: RealPlayer zero-day flaw under attack  geedavey@... | 10/22/07
Uninstall it and google for a player that gets...  JCitizen | 10/22/07
Where are No_Ax and Lovey?  critic-at-arms | 10/22/07
Dear Mr. Ye  fredfarkwater@... | 10/23/07
Update to my own message  fredfarkwater@... | 10/23/07
Ye has proven me mistaken  DirtyDingus | 10/23/07
RE: IE users beware: RealPlayer zero-day flaw under attack  msspurlock2 | 10/24/07
RealPlayer Update  MattSpragins | 10/25/07
RE: IE users beware: RealPlayer zero-day flaw under attack  majorafrotc@... | 07/30/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Essential Topics Click Here

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

Meet Doc