Malicious activities related to RealPlayer vulnerabilities
| Reference: |
CERT-IST/DG-2008.001 |
| Version: |
1.0 |
| Version date: |
07 January 2008 |
 |
Vulnerability Classification
| Risk: |
 |
high |
|
| Impact: |
Get access
Disrupt service |
| Confidence: |
Vendor-acknowledged |
| Attack expertise: |
Beginner |
| Attack requirements: |
Remote (no account) over a standard service |
|
System Information
| Affected Platform(s): |
- Microsoft Windows systems
|
| Affected Software(s): |
- RealPlayer versions 9 and later
- RealPlayer versions 11
|
| Impacted products |
Description
| Publication context: |
|
| Cert-IST releases this "Potential Danger" notice because two "0 day" targetting RealPlayer have been recently released. Furthermore, a known and fixed vulnerability in RealPlayer is also actively exploited. |
|
| Problem description: |
|
Several exploits have been released these last weeks for vulnerabilities in the RealPlayer multimedia player :
- A vulnerability in the playlist handling (CVE-2007-5601). This vulnerability is described in the CERT-IST/AV-2007.493, advisory. It is also exploited by the "RealPlay" Trojan (CERT-IST/AV-2007.490).
- An unfixed vulnerability in the AU file handling. This vulnerability is described in the FA-2007.0267 flaw under investigation.
- An unfixed and undetailed vulnerability. This vulnerability is described in the FA-2008.0003 flaw under investigation.
In addition a javascript exploiting the first vulnerability (CERT-IST/AV-2007.493) has been discovered on two web sites, and tags referring to that javascript have been found on several web sites.
The risk related to this threat is low as long as this javascript exploits a fixed vulnerability of RealPlayer. But it could become high if this malicious script is updated in order to exploit an unfixed vulnerability in RealPlayer. |
|
| Technical context: |
|
| "RealPlayer" (RealOne Player) is a multimedia player released by RealNetworks (www.real.com). |
|
| Technical information: |
|
The unfixed vulnerability described in the FA-2007.0267 flaw under investigation allows a malicious web site to crash a vulnerable RealPlayer player.
The two others vulnerabilities allow a malicious web site to run arbitrary code on the system with the victim's privileges.
The current attack exploits the fixed vulnerability in RealPlayer (CVE-2007-5601) described in the CERT-IST/AV-2007.493 security advisory. It is implemented in a javascript (named "0.js") discovered on the "uc8010 . com" and "ucmal . com" web sites. A large set of "script" tags pointing back to the malicious javascript code have been found on several web sites, including governmental (.gov) sites, educational (.edu) sites, the CA antivirus editor official site and "MySpace".
Note: the URL syntax above has been altered with white spaces in order to break the URL. |
|
Solution
01 - Apply the RealNetworks patches regarding the CVE-2007-5601 RealPlayer vulnerability
See the CERT-IST/AV-2007.493 security advisory to get the details about this patch.
02 - Protection against the attack
- deny access to the "uc8010 . com" and "ucmal . com" web sites.
- check that the "0.js" javascript ("0" is a zero) has not be injected in your own web sites.
03 - General recommandation
Avoid to use RealPlayer as long as no patch is available. |
|
Standard vulnerability IDs
Additional Resources
- Cert-IST security advisory CERT-IST/AV-2007.493 dated October 22, 2008
- SANS article dated January 4, 2008
|
|
History
|
|
|
|
|
|
|
|
|
|
Version |
|
|
|
Comment |
|
|
|
Date |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1.0 |
|
|
|
Potential danger creation |
|
|
|
07 January 2008 |
|
|
|
|
|
|
|
|
|
|
|
|
|
