14 DAY TRIAL // A critical RealPlayer vulnerability that could be exploited in drive-by download attacks has been disclosed as a zero-day.
According to Luigi Auriemma, the independent security researcher who discovered it, the flaw is a classic heap overflow in rvrender.dll that occurs when handing Internet Video Recording (IVR) files.
It is "caused by the allocation of a certain amount of data (frame size) decided by the attacker and the copying of another arbitrary amount on the same buffer," the researcher explains.
RealPlayer 14.0.2.633 for Windows is confirmed as being vulnerable, but older versions of the player, as well as those for other supported platforms, are likely vulnerable.
Luigi Auriemma is an adept of the full-disclosure vulnerability reporting philosophy, which means the developer, RealNetworks, was probably not notified in advance.
RealPlayer is a proprietary media player that gained much popularity during the '90s for being one of the first to implement media streaming capabilities.
Today its market share is fairly low because users have since moved to open source alternatives like VLC, but even so, it is still used to support RealNetworks' proprietary video and audio formats.
It's not certain when the vendor will respond with a patch because the company doesn't have a particularly great track record when it comes to providing timely fixes.
In the meantime, users can manually remove the browser plug-ins and ActiveX controls in order to close the Web attack vector.
The same day when he disclosed the RealPlayer vulnerability, Auriemma also published details and exploit code for 34 critical flaws found in several SCADA products.
Those advisories have generated quite a stir in the security community and temporarily re-launched the full disclosure vs. responsible disclosure discussion.