RealPlayer plug-in poses danger
In their weblog, the security specialists at Symantec have issued a warning about a previously unknown vulnerability in RealPlayer that is currently being exploited. The flaw affects ActiveX control ierpplug.dll in the current version of RealPlayer and beta version 11. Hence, Windows users who use Internet Explorer with Realplayer installed are in danger.
Among other things, the malicious website discovered by Symantec exploits the vulnerability to sneak in a known trojan called Zonebac, which lowers the security settings in Internet Explorer. The malicious code comes from an apparently compromised ad server that sends out ads with an IFrame containing a redirection to the actual malicious code.
The flaw is a result of a programming error that allows a buffer overflow to occur. Only a few months ago, a similar flaw was discovered in RealPlayer. Real has published a fix to address that particular security vulnerability.
Clicking on the supplied link starts Realplayer which in turn downloads something but fails to inform the user whether the update was successful and whether he is actually protected. In a short test performed by heise Security, the vulnerable DLL ierpplug.dll didn't change (version 18.104.22.16883, digitally signed 19th of July 2007). A kill-bit was not set either and Internet Explorer still claims that it is using the vulnerable file. Whether Real has developed some other workaround and users are protected or the update somehow silently failed, could not yet be determined.
Until this is clear, we recommend to set the kill-bit for the vulnerable control with the Class Identifier (CLSID) FDC7A535-4070-4B92-A0EA-D9994BCC0DC5, which prevents it from being called by Internet Explorer. Microsoft describes how to do this in this knowledge base article. Another option is to use another browser such as Firefox or Opera. They do not use ActiveX at all and are therefore not affected.
According to the US-CERT the buffer overflow occurs in the RealPlayer Database Component, which is provided by MPAMedia.dll. This file is indeed changed by the patch provided by Real.