RealPlayer exploit mystery "hijacked ad server unfolds"

A week after Symantec security researchers traced the elaborate course of a malware exploit -- apparently devised in the Netherlands -- to what may be a compromised ad server belonging to Internet advertising company 24/7 Real Media, the attack method isn’t fully understood.The investigation started publicly last Friday when Symantec issued a 10-page DeepSight Threat […]

A week after Symantec security researchers traced the elaborate course of a malware exploit -- apparently devised in the Netherlands -- to what may be a compromised ad server belonging to Internet advertising company 24/7 Real Media, the attack method isn’t fully understood.

The investigation started publicly last Friday when Symantec issued a 10-page DeepSight Threat Management System Threat Analysis written by Aaron Adams, Raymond Ball and Anthony Roe. The report accurately detailed the discovery of a zero-day attack based on a buffer overflow vulnerability in an ActiveX control in the popular desktop media player, RealPlayer from RealNetworks.

“It’s an ActiveX vulnerability, and this RealPlayer exploit runs JavaScript,” said Oliver Friedrichs, director of Symantec’s security response division. “The ActiveX control allows the malicious code to run, and it downloads a Trojan, one called Zonebac, which can disable security applications, modify the registry and perhaps later download more code. Just having RealPlayer on the desktop was enough.”

Full Article

 Symantec, Real Media, RealPlayer, Vulnerability, Exploit