Skip the navigation

Exploit code found serving from popular advertising site

Real readies patch for player's zero-day bug

October 19, 2007 12:00 PM ET

Computerworld - RealNetworks Inc. said it would publish a patch later Friday for its RealPlayer media program to protect users from ongoing attacks. Less than 24 hours before, Symantec Corp. had issued a high-level alert that warned of a critical vulnerability in RealPlayer that could be used against anyone browsing the Web with Internet Explorer.

The bug came to light after the NASA space agency warned employees of a spike in attacks that it said originated from advertisements placed on "well-known" but unnamed news sites.

"Real has created a patch for RealPlayer 10.5 and RealPlayer 11 that addresses the vulnerability identified by Symantec on 10/18," said Russ Ryan, RealPlayer's general manager for product development, in a posting to a company blog today.

NASA knew first

Late Thursday, Symantec released a warning to customers of its DeepSight threat network that said an ActiveX control installed by RealPlayer was flawed. When combined with Microsoft Corp.'s Internet Explorer (IE) browser -- which relies on ActiveX controls to extend its functionality -- the bug can be exploited and malicious code downloaded to any PC that wanders to a specially crafted site.

Only systems on which both RealPlayer and IE have been installed are vulnerable.

Symantec hinted that it first found out about the vulnerability by reading a blog that had posted information about the bug Wednesday morning. The blogger, identified only as Roger, claimed that NASA had warned workers not to use IE because of an unspecified problem with RealPlayer.

On Friday, agency spokesman Mike Mewhinney confirmed Roger's account. According to Mewhinney, who works at the Ames Research Center south of San Francisco, the alert went out Tuesday. Employees were told of a surge in security problems at Ames and other NASA centers, and informed that systems running IE and RealPlayer had been infected, apparently by malicious code downloaded after visiting legitimate sites.

"Recent indicators point to well-known news sites which may be hosting advertisements from ad servers that redirect the users to malware hosting sites," the NASA warning said. Workers were also instructed to limit their use of IE to browsing NASA's intranets, and to "Use non Internet Explorer browsers, such as Mozilla Firefox, Opera, etc., for sites external to NASA."

Symantec ranked the attack as a "10" on its urgency scale because it confirmed that attacks were being conducted in the wild; those attacks had resulted in malicious code downloaded to victimized PCs. Originally, however, Symantec saw a silver lining, and said in the Thursday warning that: "We are not currently aware of widespread exploitation of this issue," the company's warning read.

But then...

By Friday, however, Symantec had changed its tune.

Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!