Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security US-CERT-Alerts
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

US-CERT Cyber Security Alert SA07-297A -- RealNetworks RealPlayer Active

from [US-CERT Alerts] Network Security [Permanent Link]
Subject: US-CERT Cyber Security Alert SA07-297A -- RealNetworks RealPlayer ActiveX Playlist Vulnerability
Date: Wed, 24 Oct 2007 15:24:49 -0400 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

           National Cyber Alert System
         Cyber Security Alert SA07-297A


RealNetworks RealPlayer ActiveX Playlist Vulnerability

   Original release date: October 24, 2007
   Last revised: --
   Source: US-CERT

Systems Affected

     * RealPlayer 11 beta
     * RealPlayer 10.5
     * RealPlayer 10
     * RealOne Player v2
     * RealOne Player

Overview

   RealNetworks RealPlayer for Microsoft Windows contains a vulnerability
   that could allow an attacker to take control of your computer when you
   visit a malicious web site.

Solution

Upgrade and install a patch

   RealNetworks has released a patch to address this vulnerability.
   Information about the vulnerability and the patch is available in
   RealPlayer Security Vulnerability and Security Update for Real Player.
     * RealPlayer 10.5 and RealPlayer 11 beta users should install the
       patch.
     * RealOne Player v2, and RealPlayer 10 users should upgrade to
       RealPlayer 10.5 or RealPlayer 11 beta and then install the patch.

   Windows versions of RealPlayer 8 and earlier are not affected.
   Mactintosh and Linux versions of RealPlayer are not affected.

Disable ActiveX for untrusted web sites

   Disabling ActiveX in the Internet Zone (or any zone used by an
   attacker) reduces the chances of exploitation of this and other
   vulnerabilities. Instructions for disabling ActiveX in the Internet
   Zone can be found in the "Securing Your Web Browser" document.

   There are public reports that this vulnerability is being actively
   exploited.

Description

   A buffer overflow in the way RealPlayer handles playlists received
   from an ActiveX control on a web page could allow an attacker to
   access your computer, install and run malicious software on your
   computer, or cause it to crash.

   More technical information is available in US-CERT Technical Cyber
   Security Alert TA07-297A and Vulnerability Note VU#871673.


References

   * RealNetworks RealPlayer Security Update -
     <http://service.real.com/realplayer/security/191007_player/en/>
     
   * Security Update for RealPlayer -
     <http://docs.real.com/docs/security/SecurityUpdate101907Player.pdf>

   * US-CERT Technical Cyber Security Alert TA07-297A -
     <http://www.us-cert.gov/cas/techalerts/TA07-297A.html>
     
   * US-CERT Vulnerability Note VU#871673 -
     <http://www.kb.cert.org/vuls/id/871673>
     
   * Securing Your Web Browser -
     <http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer>

 _________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/alerts/SA07-297A.html>
 _________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@cert.org> with "SA07-297A Feedback VU#871673" in the
   subject.
 _________________________________________________________________

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
 _________________________________________________________________

   Produced 2007 by US-CERT, a government organization.

   Terms of use:

     <http://www.us-cert.gov/legal.html>
 _________________________________________________________________

Revision History

   October 24, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRx+bRPRFkHkM87XOAQK5tQf/ZMQAEfnLtS3QTAtayioNbJ4hB3ccG73H
ew/1cw7H4jxOuNVyIeHcExKfddkR0+MXWnhreTfx1obN7dBc7CfaNqfsO9eJow1h
57Isp8dRzWnysdrLggZLq8EBqVo0X+Cw8AU7Db9CC/ciL43B45hkCXmfQrjK7pgB
L3V2CLROQapEXq08N0WG1h6ViW9eLqCEcnYPR+X3L+roI6C0/B6pHqf/xlVznKPL
67VM8v40kVEf2ARh/jfDe2TCqOWBqB/nqUz5RT8/bl7vqjqdZm/QwecxPqPTZIPM
YwJVB578Eqz+KqZISS7te3vSRp51Abg8mtSgBsSrSjiYSUISteEoAA==
=W+3F
-----END PGP SIGNATURE-----
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • US-CERT Cyber Security Alert SA07-297A -- RealNetworks RealPlayer ActiveX Playlist Vulnerability, US-CERT Alerts <=
Previous by Date:  US-CERT Cyber Security Alert SA07-282A -- Microsoft Updates for Multiple Vulnerabilities, US-CERT Alerts
Next by Date:  US-CERT Cyber Security Alert SA07-297B -- Adobe Updates for Microsoft Windows Vulnerability, US-CERT Alerts
Previous by Thread:  US-CERT Cyber Security Alert SA07-282A -- Microsoft Updates for Multiple Vulnerabilities, US-CERT Alerts
Next by Thread:  US-CERT Cyber Security Alert SA07-297B -- Adobe Updates for Microsoft Windows Vulnerability, US-CERT Alerts
Indexes:  [Date] [Thread] [Top] [All Lists]