PDA

View Full Version : RealPlayer vulns/updates - archive



AplusWebMaster
2008-03-11, 15:05
FYI...

- http://secunia.com/advisories/29315/
Release Date: 2008-03-11
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: RealPlayer 11.x ...
...The vulnerability is confirmed in RealPlayer version 11.0.1 (build 6.0.14.794) including rmoc3260.dll version 6.0.10.45. Other versions may also be affected.
Solution: Set the kill-bit for the affected ActiveX control...

:fear:

AplusWebMaster
2008-03-11, 15:25
Follow-up...

- http://isc.sans.org/diary.html?storyid=4120
Last Updated: 2008-03-11 12:23:41 UTC - "Real player is probably installed on many of your computers, and an exploit for an unpatched vulnerability was made public on the full-disclosure mailing list.
As a result, those using ActiveX capable browsers (read: MSIE) are vulnerable to attack, with no patch on the horizon yet.
Workarounds:
* Set killbits for:
rmoc3260.dll version 6.0.10.45
{2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93}
{CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA}
But this will also remove the genuine functionality of the player.
* Use a browser that doesn't support ActiveX (there's plenty of those)..."

:fear:

MadelineC
2008-03-23, 08:27
I think this vulnerability may have been patched now. I check approx once a week for updates in Real Player 11 and yesterday there was a critical update which I downloaded immediately. My version of Real Player is now shown as:
Version 11.0.2
Build: 6.0.14.802
Previously I had Version 11.0.1, Build: 6.0.14.794 as shown in your first post.
I have told Secunia about this in case it might be useful to them.

AplusWebMaster
2008-03-23, 10:29
FYI... this looks like the one, but it still shows as "...Unpatched":

- http://secunia.com/advisories/29315/
Release Date: 2008-03-11
Last Update: 2008-03-19
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched <<<
Software: RealPlayer 11.x
...The vulnerability is confirmed in RealPlayer version 11.0.1 (build 6.0.14.794) including rmoc3260.dll version 6.0.10.45. Other versions may also be affected.
Solution: Set the kill-bit for the affected ActiveX control...
------------

Last update shown on their website:
- http://service.real.com/realplayer/security/en/index.html#web
dated: # October 25, 2007 RealPlayer Update - Security update.

...still, it could be they just haven't "announced" it yet with a post, 'don't know. Why they wouldn't have "confirmed" the fix there is an unknown.

MadelineC
2008-03-24, 10:30
I did say it 'may' have been patched! I wouldn't know for sure, but I had checked a few days earlier and there wasn't a critical update available then. I've got an item in the 'Installed Components' section called 'SecurityUpdate 1.0.0.1', so presumably that's what I got a couple of days ago.
I didn't really expect a response from Secunia immediately as I imagine they'd have to check it and it's the Easter weekend, so things might be slower at the moment.
I had that update of 25.10.2007 as I had v10.5 then and the build I had needed the update. Later I updated to v11.0.1 through the program.
As I use Firefox most of the time and only rarely use IE7, I'll pass on the kill-bit for now, it looks complicated and very difficult to undo. Firefox doesn't support ActiveX.

MadelineC
2008-03-24, 10:51
I meant to say too that it may be that Real aren't very good at keeping their site up to date even when they've issued a critical update. Also my message to Secunia might be the first they've heard of it. It does say to contact them if you have any new information which is what I did.

AplusWebMaster
2008-03-26, 19:47
FYI...

- http://preview.tinyurl.com/2e4dth
March 24, 2008 (Symantec Security Response Weblog) - "...Recently, we observed some suspicious activity on the Chinese Yahoo astrology site, hxxp: //astrology. cn.yahoo .com. Upon investigation, we determined that the site in question contained an iframe that was linking to the domain luckty.com, an astrology-based match finding company. This page contained an embedded iframe that linked to a malicious site that was exploiting the Real Player ierpplug.dll ActiveX Control Buffer Overflow Vulnerability and the MSIE ADODB.Stream Object File Installation Weakness to download malicious code onto a compromised machine. We contacted our friends at Yahoo, who subsequently removed all iframe references pointing to luckty.com..."

:fear:

AplusWebMaster
2008-03-28, 02:35
FYI...

- http://secunia.com/advisories/29315/
Last Update: 2008-03-24
...The vulnerability is confirmed in RealPlayer version 11.0.1 (build 6.0.14.794) including rmoc3260.dll version 6.0.10.45. Other versions may also be affected...
Solution: Update to version 11.0.2 (build 6.0.14.802) via e.g. "Check for Update" in the "Help->About RealPlayer" menu...

:spider:

MadelineC
2008-03-28, 08:59
I see Real haven't updated their updates page yet. Why doesn't Real Player 11xx appear in the applications checked by Secunia's on-line check yet? It checks other versions of Real Player.

AplusWebMaster
2008-03-28, 10:12
Email to -support @ secunia.com- :

"Per: http://secunia.com/advisories/29315/
Last Update: 2008-03-24
...The vulnerability is confirmed in RealPlayer version 11.0.1 (build 6.0.14.794) including rmoc3260.dll version 6.0.10.45. Other versions may also be affected...
Solution: Update to version 11.0.2 (build 6.0.14.802) via e.g. "Check for Update" in the "Help->About RealPlayer" menu...

Since updating RealPlayer to version 11.0.2, it is -un-detected here:
http://secunia.com/software_inspector/
...like it wasn't even installed on the PC (?), using fully patched version of Firefox; same result with fully patched version of IE7.
Please advise..."

'Guess we'll have to wait and see, won't we?

BTW, 'also had the ISC ( http://isc.sans.org/contact.html ) send the folks at "Real support" a note (as a "wake-up" call), since they haven't yet updated here: http://service.real.com/realplayer/security/en/ ...

MadelineC
2008-03-29, 10:05
You're right, we'll have to wait and see. I'm not surprised that Real haven't updated their site, but I would have thought that Secunia would have done so, maybe they will soon. I can understand RealPlayer 11xx not appearing on the Secunia Software Inspector before as there hadn't been any critical updates, perhaps it'll be there before long. I'll be checking it out often anyway!

AplusWebMaster
2008-04-04, 14:44
FYI...

- http://preview.tinyurl.com/2trstc
April 3, 2008 (Symantec Security Response Weblog) - "...Update: It appears that this vulnerability has been patched within RealPlayer version 11.0.2 (build 6.0.14.802), which is now available for download. It contains version 6.0.10.50 of the rmoc3260.dll file, which we have determined no longer contains the vulnerability. Current RealPlayer users can use the Check for Update utility, which will also install a version of the .dll file that is no longer vulnerable to this exploit."

- http://secunia.com/advisories/29315/
"...Solution: Update to version 11.0.2 (build 6.0.14.802) via e.g. "Check for Update" in the "Help->About RealPlayer" menu..."

'Still no advisory posted about the release here:
- http://service.real.com/realplayer/security/en/
(Last updated) - October 25, 2007 RealPlayer Update

AplusWebMaster
2008-07-26, 13:36
FYI...

- http://secunia.com/advisories/27620/
Last Update: 2008-07-29
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Partial Fix [also see Real advisory below*]
Software: RealPlayer 10.x ...
> http://secunia.com/secunia_research/2007-93/advisory/ ...
Changelog: ...2008-07-29: Updated advisory based on additional information from Secunia Research showing that the updated RealPlayer 11.0.3 Build 6.0.14.806 is still affected by vulnerability #1 when handling the "Controls" and "WindowName" properties. Updated status and "Solution" sections... users are advised to set the kill-bit for the ActiveX control...

* http://service.real.com/realplayer/security/07252008_player/en/
Updated July 25, 2008
...Details for Potential Vulnerabilities:
* Vulnerability 1: The identified vulnerability is a RealPlayer ActiveX controls property heap memory corruption;
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1309
Last revised: 3/13/2008
* Vulnerability 2: The identified vulnerability is a Local resource reference vulnerability in RealPlayer;
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3064
Original release date: 7/28/2008*...
* Vulnerability 3: The identified vulnerability is a RealPlayer SWF file heap-based buffer overflow;
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5400
Original release date: 7/28/2008*...
* Vulnerability 4: The identified vulnerability is a RealPlayer ActiveX import method buffer overflow;
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3066
Original release date: 7/28/2008 - *"...vulnerability is currently undergoing analysis and not all information is available..."

NOTES:
1. CVE details "...currently undergoing analysis..."
2. Problems w/install of update - hangs w/CPU at 100%.

:fear: