RealNetworks Inc. has released a patch for an "extremely critical" security flaw in RealPlayer that attackers have targeted in recent days.
The Seattle-based digital entertainment services vendor confirmed that attackers could exploit versions 10.5 and 11 beta of its popular media player to run malicious code on targeted machines. The attack could be carried out when the victim visits malicious Web sites with Microsoft's Internet Explorer Web browser.
"RealPlayer 10.5 and RealPlayer 11 beta users should install the patch to address this security vulnerability, [which] aims to cause buffer overflow," RealNetworks said in an advisory.
Friday, Cupertino, Calif.-based security vendor Symantec Corp. warned customers of its DeepSight Threat Management service that attackers were using malicious Web sites to exploit a buffer-overflow vulnerability caused because RealPlayer fails to perform adequate boundary checks of user-supplied input before copying it to an insufficiently sized memory buffer.
"Attackers can exploit this issue to execute arbitrary code in the context of the application using the affected control (typically Internet Explorer)," Symantec said. "Successful attacks can compromise the application and possibly the underlying computer. Failed attacks will likely cause denial-of-service conditions."
Symantec deemed the attack activity significant enough to raise its ThreatCon to level 2. To prevent successful exploits, Symantec recommends users disable Active Scripting in Internet Explorer or set the kill bit on the associated CLSID. Other security experts had suggested forsaking Internet Explorer in favor of alternative browsers like Firefox and Opera.
Danish vulnerability clearinghouse Secunia gave the flaw its highest threat rating of "extremely critical" in its SA27248 advisory because of the active attacks against it.
Attacks have also been serious enough that the United States Computer Emergency Readiness Team (US-CERT) released an advisory for RealPlayer.
In its blog analysis of the RealPlayer threat, the Symantec Security Response Center said the issue is centered on an ActiveX object in the RealPlayer component ierpplug.dll.
"This DLL has been exploited in the past, although only remote denial of service was achieved at the time," researcher Masaki Suenaga wrote. "It appears that the miscreants have refined their technique to achieve code execution."
Suenaga said the parameter passed to the vulnerable method of the ActiveX control appears to allow only character strings, "which is most likely why the shell code is made up of only English letters (A-Z) and numbers (0-9). These characters can be read directly by Intel IA-32 CPUs modifying machine code instructions on-the-fly."
The researcher added that the malicious .html page checks several versions of RealPlayer to determine if the installed application is vulnerable. If so, the bad guys try to hijack the computer using a piece of malware called Trojan.Reapall. "The sample we received, successfully exploits this RealPlayer vulnerability and downloads and executes a copy Trojan.Zonebac," Suenaga said.