Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog - Realplayer Vulnerability InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Realplayer Vulnerability

Published: 2008-01-04
Last Updated: 2008-01-05 20:13:55 UTC
by Scott Fendley (Version: 5)
0 comment(s)

Good morning everyone,

Earlier this week, Evgeny Legerov reported a vulnerability involving Real Player which could allow an attacker to execute code on victim computers. At this moment in time, there is no patch or other work around for this vulnerability though I would expect that limiting end-user privileges would limit the potential risk.

Until an update is available, I recommend that you limit viewing multimedia content using Real Player.  It would be worthwhile to plan to add this future update into the mix with any operating system updates which are scheduled to be released soon.

For more information on this vulnerability, please see:

http://secunia.com/advisories/28276/
http://www.frsirt.com/english/advisories/2008/0016

Update 15:10 UTC:  While you're at it, consider blocking access to uc8010-dot-com.  If you do a Google Search for this domain, you'll understand why: Lots of injecting of a mailicious 0.js from this domain is currently going on, plenty of web sites seem to contain this booby trap. One of the IFRAMES fetched from this site, the file "r.htm" contains a RealPlayer exploit. Still the one from last month (www.kb.cert.org/vuls/id/871673) but if they happen to re-tool to the new vulnerability, things might get ugly. 

Update 16:30 UTC  One of our readers noted that there are a number of state government and educational sites that appear to have been compromised with the uc8010 domain.  Upon review, I see that some of these have already been cleaned up.  However, the .gov and .edu sites are only a few of the many many sites that are turned up via google searches for the uc8010 domain.  As that domain was only registered as of Dec 28th, compromises of websites probably occurred in the past week.

I recommend that our readers check to see if their site shows any references to uc8010 via google.  Alternatively, look on their webservers to see if there are any unauthorized change to webpages in the past week.

Update 00:30 UTC 5 JAN 08:  Looks like there is another domain hosting a similar script.  In addition to uc8010 check your flows for "ucmal.com" 

Update 17:52 UTC JAN 08:  We have gotten reports of embeded script links to ucmal on MySpace. It is probably safe to assume that other social networking sites have it as well.

Keywords:
0 comment(s)
Diary Archives