• On The Insider: Bruno Film Edited Due to Jackson's Death
March 11, 2008 9:58 AM PDT

RealPlayer vulnerable in Internet Explorer

by Robert Vamosi

If you use the RealPlayer on Internet Explorer, watch out. Researcher Elazar Broad has posted to the Full Disclosure mailing list a so-called heap overflow vulnerability that makes it possible for an attacker to modify heap blocks after they are freed and overwrite certain registers. This could allow code execution on a compromised machine. The vulnerability affects all versions of RealPlayer running under Internet Explorer.

Exploit code for this flaw has not yet been made public.

Without a patch from RealPlayer, security experts recommend disabling the killbit for the following ActiveX ClassIDs:

  • 2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93
  • CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA
Please note that disabling the killbits above will also remove some functionality within the player.

To avoid the loss of functionality, security experts recommend using RealPlayer in a browser that doesn't support ActiveX, such as Mozilla Firefox (for Windows and Mac).

Originally posted at Defense in Depth
As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.
Topics:

Security,

Music

Tags:

security,

Real,

RealPlayer,

Elazar Broad,

ActiveX,

Internet Explorer,

Firefox

Share:
Digg
Del.icio.us
Reddit
Recent posts from Crave
iPhone 3GS jailbreak, 'purplera1n,' hits Web
Apple patents point to haptics, fingerprints, RFID
Friday Poll: We the ppl--imagining a digital 1776
Gadgettes 144: The Childhood Nostalgia Episode
Duet D8 is no iPhone clone
Rocking out with stereo Bluetooth
Indecent Exposure 53: Inundation expressed
TracFone offers $45 unlimited plan
advertisement

About Crave

The name says it all. Crave is our blog about gorgeous gadgets and other crushworthy stuff. If you would like to contact Crave with a tip or comment, please write to: crave@cnet.com

Add this feed to your online news reader

Crave topics

Making sense of Windows 7 upgrades

faq The basics and the fine print on Microsoft's options for those eyeing the next operating system from Redmond.
• Full Windows 7 coverage

Road Trip 2009: Big Sky Country

CNET News reporter Daniel Terdiman takes his car full of gadgets to the Rockies and the Great Plains in search of tech, science, nature, and more.
• America's Fortress: Cheyenne Mountain

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET