US-CERT Technical Cyber Security Alert TA07-297A -- RealNetworks RealPlayer ActiveX Playlist Buffer Overflow

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	National Cyber Alert System
   Technical Cyber Security Alert TA07-297A


RealNetworks RealPlayer ActiveX Playlist Buffer Overflow

   Original release date: October 24, 2007
   Last revised: --
   Source: US-CERT

Systems Affected

   Windows systems with
     * RealPlayer 11 beta
     * RealPlayer 10.5
     * RealPlayer 10
     * RealOne Player v2
     * RealOne Player

Overview

   RealNetworks RealPlayer client for Microsoft Windows contains a stack
   buffer overflow in the playlist paramater passed to the client by an
   ActiveX control. This vulnerability could allow a remote,
   unauthenticated attacker to execute arbitrary code using a specially
   crafted web page or HTML email message.

I. Description

   RealNetworks RealPlayer is a multimedia application that allows users
   to view local and remote audio and video content. RealPlayer for
   Microsoft Windows includes the IERPCtl ActiveX control that can be
   used with Internet Explorer to import a local file into a playlist.
   RealPlayer does not adequately validate the playlist paramater passed
   from the ActiveX control, resulting in stack buffer overflow
   vulnerability. The IERPCtl ActiveX control is present in RealOne
   Player and later versions.

   RealNetworks has released a patch for this vulnerability as described
   in RealPlayer Security Vulnerability. There are public reports that
   this vulnerability is being actively exploited.

   This vulnerability can be exploited using the IERPCtl ActiveX control,
   which effectively means that only Windows Internet Explorer users are
   affected. The ActiveX control was introduced in RealOne Player, so
   Windows versions of RealPlayer 8 and earlier are not affected.
   Mactintosh and Linux versions of RealPlayer are not affected.

II. Impact

   By convincing a user to view a specially crafted HTML document or HTML
   mail message, a remote, unauthenticated attacker may be able to
   execute arbitrary code with the privileges of the user on a vulnerable
   system. Note that the RealPlayer software does not need to be running
   for this vulnerability to be exploited.

   For more information, please see US-CERT Vulnerability Note VU#871673.

III. Solution

Upgrade and apply a patch

   See RealPlayer Security Vulnerability for information about upgrading
   and patching RealPlayer. RealPlayer 10.5 and RealPlayer 11 beta users
   should install the patch specified in the RealNetworks document.
   RealOne, RealOne Player v2, and RealPlayer 10 users should upgrade to
   RealPlayer 10.5 or RealPlayer 11 beta and install the patch.

Disable the IERPCtl ActiveX control

   Disable the IERPCtl AcctiveX control by setting the kill bit for the
   following CLSID:
   {FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}

   More information about how to set the kill bit is available in
   Microsoft Support Document 240797. Alternatively, the following text
   can be saved with a .reg file and imported into the Windows registry:
   Windows Registry Editor Version 5.00
       [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
       Compatibility\{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}]
       "Compatibility Flags"=dword:00000400

Disable ActiveX

   Disabling ActiveX in the Internet Zone (or any zone used by an
   attacker) reduces the chances of exploitation of this and other
   vulnerabilities. Instructions for disabling ActiveX in the Internet
   Zone can be found in the "Securing Your Web Browser" document.

Appendix A. Vendor Information

RealNetworks

   For information about updating RealPlayer, see the RealPlayer Security
   Vulnerability and Security Update for Real Player.

Appendix B. References

     * Customer Support - Real Security Updates -
       <http://service.real.com/realplayer/security/191007_player/en/>
     
     * Security Update for RealPlayer -
       <http://docs.real.com/docs/security/SecurityUpdate101907Player.pdf>
     
     * US-CERT Vulnerability Note VU#871673 -
       <http://www.kb.cert.org/vuls/id/871673>
     
     * Securing Your Web Browser -
       <http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer>
    
 _________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA07-297A.html>
 _________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@xxxxxxxx> with "TA07-297A Feedback VU#871673" in the
   subject.
 _________________________________________________________________
    
   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
 _________________________________________________________________

   Produced 2007 by US-CERT, a government organization.

   Terms of use:

     <http://www.us-cert.gov/legal.html>
 _________________________________________________________________

Revision History

   October 24, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRx+V7fRFkHkM87XOAQI30gf/TvEjRojRbGghMIW/Ky72nn8iGyyAcdzt
eOe8e08SxfqMr2zz4RTe8zQBvf3v3MvTv0a8N2Z5eyBarHEQzvWohtshubIJUXWy
WygaRqr4cTVX2S7dbA7EBIXJfbH8xmCDQe2OGzSprNwELZ6JJAQ3XiuoM0jsCtI1
uElilw8CqHZMOZM8GJLmj6exstljAL2JNd4icnG1kSGrCs0gJkPVOFgH/tdrJ2cu
TUZ4ypRyjpMJ2Lcz7lNkF0Y3lZCVmsOOefKV+tvsK4IerexI7Zcq1Kyu90IjXNzQ
5Ix9pEX4kbpv/7wfLeRFO5rWjA019wUtPeMZ3+kf6vp7GaWqR+WnMg==
=MlFp
-----END PGP SIGNATURE-----

[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux