Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Multimedia)  >   RealOne (RealPlayer) Vendors:   RealNetworks
RealPlayer Input Validation Flaw in 'ierpplug.dll' Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1018843
SecurityTracker URL:
CVE Reference:   CVE-2007-5601   (Links to External Site)
Updated:  Mar 19 2008
Original Entry Date:  Oct 22 2007
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 10.5, 11 beta
Description:   A vulnerability was reported in RealPlayer. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create specially crafted HTML that, when loaded by the target user, will load an ActiveX control and trigger a flaw in 'ierpplug.dll' to execute arbitrary code on the target system. The code will run with the privileges of the target user.

The CLSID of the vulnerable control is: FDC7A535-4070-4B92-A0EA-D9994BCC0DC5

Linux and Macintosh versions of the player are not affected.

This vulnerability is being actively exploited.

Impact:   A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution:   The vendor has issued a patch for version 10.5 and 11 beta, available at:

The vendor advises RealOne Player, RealOne Player v2 and RealPlayer 10 users to upgrade to version 10.5 or version 11 beta and then apply the patch.

The vendor advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

[Original Message Not Available for Viewing]

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC