Yesterday we became aware of an in-the-wild exploitation of a previously unknown RealPlayer vulnerability.This unpatched vulnerability affects the latest versions of RealPlayerand RealPlayer 11 BETA distributed on their site. The issue affects anActiveX object in the RealPlayer component ierpplug.dll.
This DLL has been exploited in the past,although only remote denial of service was achieved at the time. Itappears that the miscreants have refined their technique to achievecode execution. The parameter passed to the vulnerable method of theActiveX control appears to allow only character strings, which is mostlikely why the shell code is made up of only English letters (A~Z) andnumbers (0~9). These characters can be read directly by Intel IA-32CPUs modifying machine code instructions on-the-fly.
Some file formats are more vulnerable toexploits than others. Document and spreadsheet programs, for example,are often exploited, possibly as much because of their prevalence ondesktops as from any other reason. That said, updating them is ofteneasier precisely because of their widespread use, since updates areoften automatic or are otherwise easily obtained.
Less pervasive programs, though, are often harder to keep current. Aprime example of this is the archive format, with extensions such as.zip, .rar, etc. There are a wide number of different programsavailable for different platforms; more importantly, they havehistorically been quite vulnerable to exploits.
When security vendors discuss a newly-identified vulnerability in aprogram, there is always the hope that users have the latest version orthat they will quickly upgrade. As we all know, though, the reality isquite different. Even at the enterprise level, employees of any givencompany are...
