-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA07-297A
RealNetworks RealPlayer ActiveX Playlist Buffer Overflow
Original release date: October 24, 2007
Last revised: --
Source: US-CERT
Systems Affected
Windows systems with
* RealPlayer 11 beta
* RealPlayer 10.5
* RealPlayer 10
* RealOne Player v2
* RealOne Player
Overview
RealNetworks RealPlayer client for Microsoft Windows contains a stack
buffer overflow in the playlist paramater passed to the client by an
ActiveX control. This vulnerability could allow a remote,
unauthenticated attacker to execute arbitrary code using a specially
crafted web page or HTML email message.
I. Description
RealNetworks RealPlayer is a multimedia application that allows users
to view local and remote audio and video content. RealPlayer for
Microsoft Windows includes the IERPCtl ActiveX control that can be
used with Internet Explorer to import a local file into a playlist.
RealPlayer does not adequately validate the playlist paramater passed
from the ActiveX control, resulting in stack buffer overflow
vulnerability. The IERPCtl ActiveX control is present in RealOne
Player and later versions.
RealNetworks has released a patch for this vulnerability as described
in RealPlayer Security Vulnerability. There are public reports that
this vulnerability is being actively exploited.
This vulnerability can be exploited using the IERPCtl ActiveX control,
which effectively means that only Windows Internet Explorer users are
affected. The ActiveX control was introduced in RealOne Player, so
Windows versions of RealPlayer 8 and earlier are not affected.
Mactintosh and Linux versions of RealPlayer are not affected.
II. Impact
By convincing a user to view a specially crafted HTML document or HTML
mail message, a remote, unauthenticated attacker may be able to
execute arbitrary code with the privileges of the user on a vulnerable
system. Note that the RealPlayer software does not need to be running
for this vulnerability to be exploited.
For more information, please see US-CERT Vulnerability Note VU#871673.
III. Solution
Upgrade and apply a patch
See RealPlayer Security Vulnerability for information about upgrading
and patching RealPlayer. RealPlayer 10.5 and RealPlayer 11 beta users
should install the patch specified in the RealNetworks document.
RealOne, RealOne Player v2, and RealPlayer 10 users should upgrade to
RealPlayer 10.5 or RealPlayer 11 beta and install the patch.
Disable the IERPCtl ActiveX control
Disable the IERPCtl AcctiveX control by setting the kill bit for the
following CLSID:
{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}
More information about how to set the kill bit is available in
Microsoft Support Document 240797. Alternatively, the following text
can be saved with a .reg file and imported into the Windows registry:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}]
"Compatibility Flags"=dword:00000400
Disable ActiveX
Disabling ActiveX in the Internet Zone (or any zone used by an
attacker) reduces the chances of exploitation of this and other
vulnerabilities. Instructions for disabling ActiveX in the Internet
Zone can be found in the "Securing Your Web Browser" document.
Appendix A. Vendor Information
RealNetworks
For information about updating RealPlayer, see the RealPlayer Security
Vulnerability and Security Update for Real Player.
Appendix B. References
* Customer Support - Real Security Updates -
<http://service.real.com/realplayer/security/191007_player/en/>
* Security Update for RealPlayer -
<http://docs.real.com/docs/security/SecurityUpdate101907Player.pdf>
* US-CERT Vulnerability Note VU#871673 -
<http://www.kb.cert.org/vuls/id/871673>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer>
_________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA07-297A.html>
_________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@xxxxxxxx> with "TA07-297A Feedback VU#871673" in the
subject.
_________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
_________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
October 24, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRx+V7fRFkHkM87XOAQI30gf/TvEjRojRbGghMIW/Ky72nn8iGyyAcdzt
eOe8e08SxfqMr2zz4RTe8zQBvf3v3MvTv0a8N2Z5eyBarHEQzvWohtshubIJUXWy
WygaRqr4cTVX2S7dbA7EBIXJfbH8xmCDQe2OGzSprNwELZ6JJAQ3XiuoM0jsCtI1
uElilw8CqHZMOZM8GJLmj6exstljAL2JNd4icnG1kSGrCs0gJkPVOFgH/tdrJ2cu
TUZ4ypRyjpMJ2Lcz7lNkF0Y3lZCVmsOOefKV+tvsK4IerexI7Zcq1Kyu90IjXNzQ
5Ix9pEX4kbpv/7wfLeRFO5rWjA019wUtPeMZ3+kf6vp7GaWqR+WnMg==
=MlFp
-----END PGP SIGNATURE-----
