Zero Day

Ryan Naraine and Dancho Danchev

Get Zero Day via:: Mobile; RSS; Email Alerts
Bios:: Ryan’s Bio; Dancho’s Bio

March 11th, 2008

RealPlayer: More ActiveX security headaches

Posted by Larry Dignan @ 7:17 am

Categories: Exploit code, Vulnerability research, Zero-day attacks

Tags: Security, ActiveX, RealNetworks RealPlayer, Elazar Broad, ActiveX/COM/COM+/DCOM, Middleware, Software Development, Software/Web Development, Enterprise Software, Software

RealPlayer has a another ActiveX vulnerability that leaves Windows users on IE at risk.

Elazar Broad, who frequently flags ActiveX problems, issued an alert Sunday on message board lists. Broad is currently working on an exploit for it.

Here’s the message:

Hash: SHA1

Who:
Real Networks
http://www.real.com

What:
Real Networks Real Player is a popular media player.

How:
Real Player utilizes an ActiveX control to play content within the
users browser.

rmoc3260.dll version 6.0.10.45
{2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93}
{CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA}

It is possible to modify heap blocks after they are freed and
overwrite certain registers, possibly allowing code execution. Like
so:

- ————
var buf = ”;
while (buf.length < 1005) buf = buf + ‘A’;

m = obj.Console;
obj.Console = buf;
obj.Console = m

//repeat
m = obj.Console;
obj.Console = buf;
obj.Console = m –> Should crash here
- ————-

Workaround:
Set the killbit for this control. See
http://support.microsoft.com/kb/240797

Fix:
No official fix known

Exploit:
Working on it

Elazar

As noted by Ryan Naraine, Broad is a bit of an ActiveX vulnerability hunter. Broad has also discovered ActiveX security problems with MySpace and Facebook. Why do folks keep ActiveX active?

SANS said the following:

Those using ActiveX capable browsers (read: MSIE) are vulnerable to attack, with no patch on the horizon yet.

Workarounds:

* Set killbits for:
rmoc3260.dll version 6.0.10.45
{2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93}
{CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA}
But this will also remove the genuine functionality of the player.
* Use a browser that doesn’t support ActiveX (there’s plenty of those).

More info on disabling ActiveX on IE can be found on Microsoft’s site.

Larry Dignan is Editor in Chief of ZDNet and Editorial Director of ZDNet sister site TechRepublic. See his full profile and disclosure of his industry affiliations.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

Talkback
Most Recent of 23 Talkback(s)

Thread View
Flat View

Where I was going: but in gentler terms. Yes, Real Player is a waste of good memory, in addition to the fact that other better software is also available for free. If you haven't uninstalled it yet, do so now.... (Read the rest); Posted by: Spats30 Posted on: 03/13/08 You are currently: a Guest | Log in | Terms of Use

MS disabled Netscape plugins in IE5.5 SP2 w/o warning LittleGuy | 03/11/08

Boy you are clueless toadlife | 03/11/08

Boy you are clueless [formatting fixed] toadlife | 03/11/08

WHAT? LittleGuy | 03/11/08

Do what I am doing? toadlife | 03/11/08

Can think of a few Necrolin | 03/12/08

RE: RealPlayer: More ActiveX security headaches Grayson Peddie | 03/11/08

Plug-ins are vulnerable too (maybe not here) dunn@... | 03/11/08

Please give me an example of a Netscape API plugin attack LittleGuy | 03/11/08

Here you go toadlife | 03/11/08

Not an example of a real malicious Netscape plugin! LittleGuy | 03/11/08

What are you talking about? toadlife | 03/11/08

I've written both activex and npi plugins LittleGuy | 03/12/08

Apologies. You are right toadlife | 03/12/08

@toadlife zkiwi | 03/12/08

All extension apis Johnny Vegas | 03/11/08

Accept Apologies, but you need to understand LittleGuy | 03/12/08

A buffer overflow is a buffer overflow! toadlife | 03/12/08

Yes, Yes, but LittleGuy | 03/12/08

Interesting toadlife | 03/12/08

Ah, 1-click, 3, 4 clicks to install LittleGuy | 03/13/08

Frankly who cares? Skullet | 03/12/08

Where I was going Spats30 | 03/13/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Planning Activation in Isolated Environments Microsoft This guide is for IT pros maintaining the Windows? 7 and Windows Server? ... Download Now
The Journey Along an Information-Led Transformation IBM Corp. The cost of embedding information technology into every device we ... Download Now
Top 7 Things You Should Know About Activation and Genuine Windows Microsoft Learn the top 7 things you need to know about volume activation, including product keys, experience, deployment, virtualization, resources and more. Download Now

Blogs From Our Sponsors

Top Rated

And the most popular password is...+34 votes
Microsoft readies emergency IE patch to counter public exploits+33 votes
Report: 48% of 22 million scanned computers infected with malware+32 votes
Microsoft says Google was hacked with IE zero-day+31 votes
Microsoft confirms 17-year-old Windows vulnerability+31 votes
MS Patch Tuesday heads-up: 13 bulletins, 26 vulnerabilities+26 votes
Bogus IQ test with destructive payload in the wild+22 votes
Haiti earthquake themed blackhat SEO campaigns serving scareware+21 votes

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

Smarter Products: The Building Blocks for a Smarter Planet IBM Corp. Businesses are delivering a new generation of smarter products that are ... Download Now
Volume Activation Planning Guide Microsoft Volume Activation helps Volume Licensing customers automate and manage the ... Download Now
Getting personal with business continuity: Five critical success factors in overcoming workforce disruptions IBM Corp. An event that disrupts your business, no matter how limited or broad in ... Download Now

SmartPlanet

Thought-provoking progressive ideas on diverse topics that intersect with technology, business, and life, and matter to the world at large. Visit SmartPlanet
More from IBM
How to Drive Better Business Outcomes with Exceptional Web Experiences Download the eBook
Driving Business Agility through SOA Connectivity & Integration Read the White Paper from IBM
Linking Decisions and Information for Organizational Performance Read the Tom Davenport study

Zero Day

Ryan Naraine and Dancho Danchev

March 11th, 2008

RealPlayer: More ActiveX security headaches

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Recent Entries

Blogs From Our Sponsors

Top Rated

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors

Archives

Favorite Links

41

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Blogs

Product Reviews

Videos

White Papers and Webcasts

Downloads

More

ZDNet News & Blogs

Product Reviews

Product Blogs

White Papers & Webcasts

Downloads

Zero Day

Ryan Naraine and Dancho Danchev

March 11th, 2008

RealPlayer: More ActiveX security headaches

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Recent Entries

Blogs From Our Sponsors

Top Rated

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors

Keep up with ZDNet

Archives

Favorite Links

41

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Blogs

Product Reviews

Videos

White Papers and Webcasts

Downloads

More

ZDNet News & Blogs

Product Reviews

Product Blogs

White Papers & Webcasts

Downloads