RealPlayer Input Validation Flaw in 'ierpplug.dll' Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1018843
|
|
SecurityTracker URL: http://securitytracker.com/id?1018843
|
|
CVE Reference: CVE-2007-5601
(Links to External Site)
|
Updated: Mar 19 2008
|
Original Entry Date: Oct 22 2007
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 10.5, 11 beta
|
Description: A vulnerability was reported in RealPlayer. A remote user can cause arbitrary code to be executed on the target user's system.
A remote user can create specially crafted HTML that, when loaded by the target user, will load an ActiveX control and trigger a
flaw in 'ierpplug.dll' to execute arbitrary code on the target system. The code will run with the privileges of the target user.
The
CLSID of the vulnerable control is: FDC7A535-4070-4B92-A0EA-D9994BCC0DC5
Linux and Macintosh versions of the player are not affected.
This
vulnerability is being actively exploited.
|
Impact: A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.
|
Solution: The vendor has issued a patch for version 10.5 and 11 beta, available at:
http://www.service.real.com/realplayer/security/191007_player/en/securitydb.rnx
The
vendor advises RealOne Player, RealOne Player v2 and RealPlayer 10 users to upgrade to version 10.5 or version 11 beta and then
apply the patch.
The vendor advisory is available at:
http://www.service.real.com/realplayer/security/191007_player/en/
|
Vendor URL: www.service.real.com/realplayer/security/191007_player/en/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 21 Oct 2007 23:37:17 -0400
Subject: RealPlayer Security Vulnerability
|
http://www.service.real.com/realplayer/security/191007_player/en/
BID:26130
|
|
