Yesterday we became aware of an in-the-wild exploitation of a previously unknown RealPlayer vulnerability.This unpatched vulnerability affects the latest versions of RealPlayerand RealPlayer 11 BETA distributed on their site. The issue affects anActiveX object in the RealPlayer component ierpplug.dll.
This DLL has been exploited in the past,although only remote denial of service was achieved at the time. Itappears that the miscreants have refined their technique to achievecode execution. The parameter passed to the vulnerable method of theActiveX control appears to allow only character strings, which is mostlikely why the shell code is made up of only English letters (A~Z) andnumbers (0~9). These characters can be read directly by Intel IA-32CPUs modifying machine code instructions on-the-fly.
The malicious .html page checks several versions of RealPlayer todetermine if the installed application is vulnerable. If it is, theattacker can potentially take control of the computer. Trojan.Reapall, the sample we received, successfully exploits this RealPlayer vulnerability and downloads and executes a copy Trojan.Zonebac.
Additionally, when the vulnerability is successfully exploited, theclip named "videotest" from the "My Library" folder, available instandard installations of RealPlayer, will be played.
(Click for larger image.)
We have successfully tested this sample against the latest versionsof RealPlayer 11 Beta and RealPlayer 10.5. Older versions may also bevulnerable.
If you have RealPlayer installed, simply visiting a malicious Webpage can put your computer at risk; the player does not need to berunning.
Some mitigating strategies that you can put in place until patches are available are:
- Set the kill bit on the Class identifier (CLSID) FDC7A535-4070-4B92-A0EA-D9994BCC0DC5 (See instructions here).
- Ensure that all Microsoft Internet Explorer clients are configuredto prompt before executing Active Scripting. If Active Scripting is notrequired it should be disabled completely.
- Ensure that all Microsoft Outlook and Outlook Express clients areconfigured to either display all incoming email in plain text format,or that HTML email messages are opened in the Restricted sites securityzone.
- Ensure that antivirus software is up to date.
- As most vulnerabilities of this nature rely on JavaScript to carryout exploitation, customers are advised to disable JavaScript wheneverpossible.
- Always execute Web browser software as a user with minimal system privileges.
Update - October 22, 2007: RealNetworks has released a patch that addresses this vulnerability.