IE users beware: RealPlayer zero-day flaw under attack

ZDNet ^ | October 19th, 2007 | Ryan Naraine

[holymoly]

Hackers are actively exploiting a zero-day hole in RealNetworks’ RealPlayer media player, a software program installed on tens of millions of Windows computers worldwide.

RealPlayer zero-day flaw under attack

The in-the-wild attacks, which began late last night (October 18), targets a previously unknown and unpatched ActiveX vulnerability in the way RealPlayer interacts with Microsoft’s Internet Explorer browser.

The flaw is causing drive-by malware downloads when an IE user simply browsers to a maliciously rigged Web page, according to an alert issued by anti-virus vendor Symantec.

The issue affects an ActiveX object installed by RealPlayer, accessible over the web using Internet Explorer. By instantiating the object and invoking a specific method and attacker is able to corrupt process memory and execute arbitrary code with the privileges of the browser. The attack currently known to be in-the-wild has been confirmed to download malicious code to the compromised host.

According to sources tracking this threat, the attacks are limited in nature and appear to be targeting specific organizations. Some government agencies, including NASA, have reportedly banned the use of Internet Explorer in response to this incident.

“The malware appears to be spreading through a large variety of common and highly-respected Internet sites, however it does not appear these sites are themselves infected. The affected sites are serving solely as a mechanism to attract potential victims.”

Confirmed vulnerable: RealPlayer versions 6.0.14.544, 6.0.14.550 (11 Beta), 6.0.12.1662 (10.5), 6.0.12, 6.0.11, and 6.0.10.

TEMPORARY MITIGATION:

In the absence of a patch from RealPlayer, users might want to consider uninstalling the software immediately. Or, use an alternative Web browser (Mozilla Firefox or Opera) for Web surfing.

Symantec also recommends:

• Block access to the IPs 83.149.65.105 and 66.199.254.193, as these IP addresses were observed partaking in the attack and have also been observed by honeypots perpetrating other malicious activity.

• Set the kill bit on the Class identifier (CLSID) FDC7A535-4070-4B92-A0EA-D9994BCC0DC5 (Microsoft instructions for setting kill bit).

• Ensure that all Microsoft Internet Explorer clients are configured to prompt before executing Active Scripting. If Active Scripting is not required it should be disabled completely.

• Ensure that all Microsoft Outlook and Outlook Express clients are configured to either display all incoming email in plain text format, or that HTML email messages are opened in the Restricted sites security zone.

• As most vulnerabilities of this nature rely on JavaScript to carry out exploitation, disable JavaScript whenever possible.

• Always execute web browser software as a user with minimal system privileges.

[holymoly]

In the absence of a patch from RealPlayer, users might want to consider uninstalling the software immediately. Or, use an alternative Web browser...

Firefox

Opera

Seamonkey

[fremont_steve]

Or an alternate OS like Linux ;-)

[Nervous Tick]

I’ve been avoiding RealPlayer for years, for reasons I don’t even clearly recall. I think it was because they became a PITA with all their spam and reminder popups or something to that effect.

[Ron in Acreage]

Don’t use RealPlayer at all. I believe it’s owned by Maria Cantwell, the flaming leftist democrat in the US Senate or some other notable leftist.

[SubGeniusX]

Hackers are actively exploiting a zero-day hole in RealNetworks’ RealPlayer media player, a software program installed on tens of millions of Windows computers worldwide.

PING

[Squawk 8888]

Not a problem for me- I use Firefox and never had a use for RealPlayer.

[Crazieman]

I haven’t touched realplayer since 2000

[Revel]

Use Real Alternative instead. It does not alway work. But I just figure that if a web site demands using Real player with so many better choices out there then why visit that web site. Real player is a bloated piece of spy ware. It has been so for years.

[Squawk 8888]

You’re not missing anything. The only thing it can do that the other players can’t is play RealMedia content. Anything on rm that’s worth playing is also available in other formats.

[LIConFem]

    In hoc signo vinces!

;o)

[Revel]

Real Alternative (Uses and old version of windows media player):

http://www.free-codecs.com/download/Real_Alternative.htm

[Red Badger]

I don’t have to worry. I use Windows Media Player................

[Just another Joe]

good thing I have version 10.5.

Or are they talking about build not version?

[mysterio]

[FourtySeven]

< sigh > Something to do when I get home I guess.

Yet another reason to get a Mac.

[tomh68]

Has nothing to do with the OS. It’s the browser specifically IE.

[pillut48]

In English please? :-)

I use Firefox but IE occasionally because some websites don’t work in Firefox (like my daughter’s soccer website)—if I go to “Add/Remove Programs” what should I remove? RealPlayer by itself? Or are other aspects needing to be removed as well?

My husband HATES “MicroShaft” as he calls it, but 90% of the programs/applications I use aren’t available on Linux yet—soon though I hope!!

[VeniVidiVici]

Real Player turned into malware itself years ago.

[PAR35]

# Block access to the IPs 83.149.65.105 and 66.199.254.193, as these IP addresses were observed partaking in the attack and have also been observed by honeypots perpetrating other malicious activity.
# Set the kill bit on the Class identifier (CLSID) FDC7A535-4070-4B92-A0EA-D9994BCC0DC5 (Microsoft instructions for setting kill bit).

I'm sure glad that IE is easy to use and configure than other operating systems. /sarcasm

[zencat]

Real Player turned into malware itself years ago.

Eyup. It simply became a terrible product slated more at pushing advertising.

Pretty much Windows Media or Quik Time today.

[Nervous Tick]

>> I don’t have to worry. I use Windows Media Player................

LOL! Yep, no vulnerabilities there!

But I don’t want to be disrespectful of Windows Media Player because it plays a valuable role in the compu-ecosystem. Windows needs to be rebooted regularly, and the weekly Microsoft updates to WMP remind (!) me to do that.

[A_Tradition_Continues]

I think it comes down to “ReadPlayer simply sucks”.

[z3n]

Whenever I am asked to 'tweak' or clean up a computer, I always remove Real Player unless the user has a specific reason for using it.
I've always hated real player.
There was once a time when it was a very very invasive application that was a serious pain to remove from the OS. It was quite a few years ago, but I have seen real player re-install itself with hidden installation files and a batch process set to run on startup.

[Cicero]

RealPlayer was a pioneer in the early days, but it got more and more bloated, and they also got into the habit of using it to install spyware and other programs on your computer without asking permission.

Very much like AOL.

Plus the fact that they are somewhere to the left of Lenin. Maria Cantwell had plenty of leftist company when she was there.

[holymoly]

if I go to “Add/Remove Programs” what should I remove? RealPlayer by itself?

If the article is correct, that should do it.

To be honest, I haven't used RealPlayer in many, many years, since it essentially became a form of spyware. I haven't used MSIE since version 4.

BTW I sometimes use Opera for sites that don't work and/or display correctly with Firefox. You might consider giving it a try.

[Badeye]

Our software here has repeatedly blocked this Malware stuff the past couple of days.

[Gorzaloon]

In hoc signo vinces!

;o)

Et in hoc, quoque.

[paristwelve]

You need Real Player for BBC 4. Outrageous, isn’t it?

[GOP_1900AD]

Interesting indeed. A few weeks back RealPlayer completely locked up on me after I was at a site that was behaving suspiciously. So, I immediately deinstalled it and ran malware cleansing ops. That was probably it. A-OK right now.

[Non-Sequitur]

bump

[ShadowAce]

[TChris]

I don’t use RealPlayer. It’s junk, AFAICT.

[Salo]

Just an FYI: FireFox 2.0.0.8 is out today.

[zeugma]

I'm sure glad that IE is easy to use and configure than other operating systems. /sarcasm

No doubt. I should hold on to this post as a reference the next time some bozo starts talking about Linux not being "ready" for the desktop. 

Let's look at that again, shall we...

 

---

Symantec also recommends:

• Block access to the IPs 83.149.65.105 and 66.199.254.193, as these IP addresses were observed partaking in the attack and have also been observed by honeypots perpetrating other malicious activity.

• Set the kill bit on the Class identifier (CLSID) FDC7A535-4070-4B92-A0EA-D9994BCC0DC5 (Microsoft instructions for setting kill bit).

• Ensure that all Microsoft Internet Explorer clients are configured to prompt before executing Active Scripting. If Active Scripting is not required it should be disabled completely.

• Ensure that all Microsoft Outlook and Outlook Express clients are configured to either display all incoming email in plain text format, or that HTML email messages are opened in the Restricted sites security zone.

• As most vulnerabilities of this nature rely on JavaScript to carry out exploitation, disable JavaScript whenever possible.

• Always execute web browser software as a user with minimal system privileges.

 

---

Yeah. Windows is  easy to use.

[PAR35]

I’ve been playing with computers since the CP/M days (longer, if you count punching paper tape in basic and cards in Fortran), I manually edit my registries when needed; I’m not totally computer illiterate. But I have no idea on how to set a kill bit in XP. As for blocking ports, Symantic isn’t exactly ‘user friendly’.

[papasmurf]

Last night, I had my wife, who has never even seen Linux, install Ubuntu Gutsy (7.10) on an old Dell (GX-150) 128MB/10GB. When if finished she said...you mean that’s it? LOL

Yeah, Linux is too hard, and winblows is easy.

[papasmurf]

Hi.

Could you tell me some of the programs you need to use? You'd be surprised what it available, for free, to use on Linux...Ubuntu especially.

I'd be happy to search for suitable replacements for you.

Also, there are free "virtual" machines available that will run windows inside of Linux, allowing you to keep your old software. I use "VirtualBox" for my proprietary business applications. It's all point and click, too.

You can take Ubuntu Linux for a FREE test ride. Just go to Ubuntu's FREE CD program and request a free cd to be sent to you at no charge. When you get the CD, just pop it in and let it load. It's called a LIVE! CD, which means the program doesn't install anything, it runs off of the CD itself. It's a bit slower, because it's running off of the CD, but it is fully functional...you can even see all of the FREE software available and how easy it is to install FREE software.

Trust me, Ubuntu Linux is very easy to use, even the updates are easier (and safer) than windoesn't's. :)

Good luck!

[pillut48]

Thanks, papasmurf—the husband tried ubuntu but didn’t like it (don’t ask me why! :-) I’ve been on computers since the late 80’s, Apples and Windows—all of my applications are windows based, and there aren’t equals to the programs (graphic design, photo manipulation, movie making) that I’ve used for years, and truthfully, I just don’t have the energy to relearn new programs all over again. And yes, I’ve heard of GIMP, but it just doesn’t have what I need *yet*—who knows what the future holds? :-)

[RachelFaith]

Poor WinDoze users.... how much TIME do you spend on this kinda stuff?

Get a Mac... and you can run any windows program on Mac if you REALLY have some special need to...

[MattSpragins]

RealNetworks has issued a patch for this vulnerability that users can download here - http://service.real.com/realplayer/security/191007_player/en/

For more information about these patches and how the new RealPlayer has been improved, please visit the RealPlayer blog at www.realplayer.com/blog.

Matt Spragins
Real Networks