More Vulnerabilities Found; More Platforms Affected
Severity: High
26 October, 2007
Update:
On Monday 22 October, we published an alert about a serious vulnerability that affects RealPlayer 10.5 and RealPlayer 11 beta running on Windows. By enticing one of your users to a malicious Web site, an attacker can exploit this vulnerability to execute code on your user’s computer, with your user’s privileges. In the worst case scenario, the attacker could gain total control of the victim’s PC. RealNetworks released a patch to fix that problem. However, it appears that update marked just the beginning of RealNetwork security holes.
Late yesterday, RealNetwork released the second batch of security updates this week, this time fixing six serious vulnerabilities in their media player product line. Here’s what you need to know about the new flaws.
More Vulnerabilities Found; More Platforms Affected
Severity: High
26 October, 2007
Update:
On Monday 22 October, we published an alert about a serious vulnerability that affects RealPlayer 10.5 and RealPlayer 11 beta running on Windows. By enticing one of your users to a malicious Web site, an attacker can exploit this vulnerability to execute code on your user’s computer, with your user’s privileges. In the worst case scenario, the attacker could gain total control of the victim’s PC. RealNetworks released a patch to fix that problem. However, it appears that update marked just the beginning of RealNetwork security holes.
Late yesterday, RealNetwork released the second batch of security updates this week, this time fixing six serious vulnerabilities in their media player product line. Here’s what you need to know about the new flaws.
The new flaws affect many more products than the earlier flaw did, including products that run in OS X and Linux. The affected products now include:
- RealPlayer 8, 10, 10.5, 11 for Windows, Mac, and Linux
- RealOne Player v1 and v2 for Windows, and RealOne Player for Mac
- RealPlayer Enterprise
- Helix Player 10.0.x for Linux.
Though these new flaws differ from one another technically, they share many similarities. For example, all six flaws involve buffer overflow vulnerabilities triggered when RealPlayer parses specially crafted media files. They also share the same scope and impact. If an attacker can entice one of your users into downloading a maliciously crafted media file, then playing it in RealPlayer, the attacker can exploit any of these vulnerabilities to execute attack code on that user’s computer. Depending on the user’s privileges, an attacker could even exploit these flaws to gain control of the victimr’s machine. The only notable difference among the flaws is that an attacker uses a different media file format to exploit each one. The potentially dangerous media files that trigger these flaws are:
- RealMedia files (.rm)
- MP3 audio files (.mp3)
- Flash files (.swf)
- RealAudio Metadata files (.ram)
- Playlist files (.pls)
- Synchronized Multimedia Integration Language files (.smil).
Unlike the flaw covered in our 22 October alert, RealNetworks has not found attackers exploiting these new flaws in the wild yet. Nonetheless, these security holes pose a serious threat to RealPlayer users. You should download, test, and deploy these new patches as soon as you can, whether or not you applied the previous RealPlayer update from Monday. How you download the updates differs depending on which product you use. Refer to the “Instructions” section of RealNetworks security update for detailed directions on patching the different media player products.
As a convenient reference, we’ve duplicated the 22 October RealPlayer alert, below. You can also find it in the LiveSecurity Latest Broadcasts archive.
Summary:
Late Friday, RealNetworks released a patch for a critical vulnerability affecting RealPlayer 10.5 and RealPlayer 11 beta running on Windows. By enticing one of your users to a malicious Web site, an attacker can exploit this vulnerability to execute code on your user’s computer, with your user’s privileges. In the worst case scenario, the attacker could gain total control of the victim’s PC. If you allow the use of RealPlayer in your network, have your users upgrade immediately.
Exposure:
RealPlayer and RealOne Player are widely-used software for Internet media delivery. RealOne Player plays virtually every major Internet media format, including Windows Media, Quicktime, MPEG-4, and even DVDs. If you’ve watched streaming videos on the Internet, or listened to music samples while buying CDs online, you’ve probably encountered RealPlayer.
WatchGuard does not recommend using RealPlayer or RealOne Player, partly because both contain automatic communication features which, by default, let RealNetworks and RealNetwork’s “partners” (such as NASCAR and CNN) install software on your client computers. But in reality, many of your users have probably installed one of these products, with or without your permission.
In a security update released late Friday, RealNetworks warned of a new vulnerability that affects RealPlayer 10.5 and 11 beta running on Windows. (OS X and Linux users are not affected.) The flaw, discovered in the wild by Symantec, involves a buffer overflow vulnerability in one of RealPlayer’s ActiveX controls (specifically, ierpplug.dll). By enticing one of your users to a malicious Web site, an attacker can pass an over-long parameter to the vulnerable ActiveX control, which triggers the buffer overflow flaw. The attacker can then exploit the flaw to execute code on your user’s computer, inheriting your user’s privileges. Windows administrators often give users local administrator rights. If the exploit is successful in that context, the attacker would gain complete control of your user’s machine.
Symantec found attackers exploiting this vulnerability in the wild. In other words, the bad guys found the flaw first and are actively using it to break into computers. If you use RealPlayer in your network, this vulnerability poses a critical risk. You should apply RealNetwork’s update immediately.
Solution Path:
RealNetworks has released a patch to correct this vulnerability. Clients who use RealPlayer 10.5 or 11 beta in Windows should upgrade immediately, or remove the software entirely. You can download RealNetwork’s patch here.
For All WatchGuard Users:
The vulnerability described in our alert uses normal HTTP traffic, which you must allow for your users to browse the Web. If you use RealPlayer in your network, you should download RealNetwork’s update as soon as possible.
Status:
RealNetworks has issued a Security Update that fixes the problem.