Manufacturer responds rapidly to serious security hole.
A zero-day vulnerability in the popular media playing system
RealPlayer
was spotted being exploited in the wild late last week, with several trojans penetrating vulnerable systems from malicious websites in silent drive-by downloads.
The flaw is in a piece of code previously exploited to cause denial of service, but thought to be safe from remote code exploitation until this discovery. Responding speedily to warnings posted on the
Symantec
blog and elsewhere, manufacturer
RealNetworks
managed to turn around an update to fix the problem the same day.
The exploit uses
ActiveX
and thus only affects
Windows
users running
Internet Explorer
. The patch, available from
Real
here
, works for version 10.5 and the beta of version 11 recently made available, and any users still running earlier versions are advised by
Real
to upgrade to the latest edition and apply the patch to ensure they are safe from exploitation.
Details of the attack are on the
Symantec
blog
here
or at
McAfee
here
.
Those
Windows
users who choose to shun popular exploitation target
Internet Explorer
in favour of other browsers should beware of feeling too smug however. Both
Opera
and
Firefox
require patching after a series of fixes for important security issues were released last week. Overviews of the problems, and the updates to fix them, are at
Secunia
here
(for
Firefox
) and
here
(for
Opera
).
Posted on 22 October 2007 by
Virus Bulletin
Leave a Reply