RealNetworks RealPlayer ActiveX Playlist Buffer Overflow
Original release date: October 24, 2007
Last revised: --
Source: US-CERT
Systems Affected
Windows systems with
- RealOne Player
- RealOne Player v2
- RealPlayer 10
- RealPlayer 10.5
- RealPlayer 11 beta
Overview
RealNetworks RealPlayer client for Microsoft Windows contains a stack buffer overflow in the playlist paramater passed to the client by an ActiveX control. This vulnerability could allow a remote, unauthenticated attacker to execute arbitrary code using a specially crafted web page or HTML email message.
I. Description
RealNetworks RealPlayer is a multimedia application that allows users to view local and remote audio and video content. RealPlayer for Microsoft Windows includes the IERPCtl ActiveX control, which can be used with Internet Explorer to import a local file into a playlist. RealPlayer does not adequately validate the playlist parameter passed from the ActiveX control, resulting in a stack buffer overflow vulnerability. The IERPCtl ActiveX control is present in RealOne Player and later versions.
RealNetworks has released a patch for this vulnerability as described in RealPlayer Security Vulnerability. There are public reports that this vulnerability is being actively exploited.
This vulnerability can be exploited using the IERPCtl ActiveX control, which effectively means that only Windows Internet Explorer users are affected. The ActiveX control was introduced in RealOne Player, so Windows versions of RealPlayer 8 and earlier are not affected. Macintosh and Linux versions of RealPlayer are not affected.
II. Impact
By convincing a user to view a specially crafted HTML document or HTML mail message, a remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the user on a vulnerable system. Note that the RealPlayer software does not need to be running for this vulnerability to be exploited.
For more information, please see US-CERT Vulnerability Note VU#871673.
III. Solution
Upgrade and apply a patch
See RealPlayer Security Vulnerability for information about upgrading and patching RealPlayer. RealPlayer 10.5 and RealPlayer 11 beta users should install the patch specified in the RealNetworks document. RealOne Player, RealOne Player v2, and RealPlayer 10 users should upgrade to RealPlayer 10.5 or RealPlayer 11 beta and install the patch.
Disable the IERPCtl ActiveX control
Disable the IERPCtl ActiveX control by setting the kill bit for the following CLSID:
{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}
More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved with a .reg file and imported into the Windows registry:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}]
"Compatibility Flags"=dword:00000400
Disable ActiveX
Disabling ActiveX in the Internet Zone (or any zone used by an attacker) reduces the chances of exploitation of this and other vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in Securing Your Web Browser.
Appendix A. Vendor Information
RealNetworks
For information about updating RealPlayer, see RealPlayer Security Vulnerability and Security Update for Real Player.
Appendix B. References
Feedback can be directed to US-CERT Technical Staff.
Produced 2007 by US-CERT, a government organization. Terms of use
Revision History
October 24, 2007: Initial release
Mailing Lists & Feeds
Get Adobe Reader
US-CERT is part of the Department of Homeland Security