More Vulnerabilities Found; More Platforms Affected

Severity: High

26 October, 2007

Update:

On Monday 22 October, we published an alert about a serious vulnerability that affects RealPlayer 10.5 and RealPlayer 11 beta running on Windows. By enticing one of your users to a malicious Web site, an attacker can exploit this vulnerability to execute code on your user’s computer, with your user’s privileges. In the worst case scenario, the attacker could gain total control of the victim’s PC. RealNetworks released a patch to fix that problem. However, it appears that update marked just the beginning of RealNetwork security holes.

Late yesterday, RealNetwork released the second batch of security updates this week, this time fixing six serious vulnerabilities in their media player product line. Here’s what you need to know about the new flaws.

The new flaws affect many more products than the earlier flaw did, including products that run in OS X and Linux. The affected products now include:

• RealPlayer 8, 10, 10.5, 11 for Windows, Mac, and Linux
• RealOne Player v1 and v2 for Windows, and RealOne Player for Mac
• RealPlayer Enterprise
• Helix Player 10.0.x for Linux.

Though these new flaws differ from one another technically, they share many similarities. For example, all six flaws involve buffer overflow vulnerabilities triggered when RealPlayer parses specially crafted media files. They also share the same scope and impact. If an attacker can entice one of your users into downloading a maliciously crafted media file, then playing it in RealPlayer, the attacker can exploit any of these vulnerabilities to execute attack code on that user’s computer. Depending on the user’s privileges, an attacker could even exploit these flaws to gain control of the victimr’s machine. The only notable difference among the flaws is that an attacker uses a different media file format to exploit each one. The potentially dangerous media files that trigger these flaws are:

• RealMedia files (.rm)
• MP3 audio files (.mp3)
• Flash files (.swf)
• RealAudio Metadata files (.ram)
• Playlist files (.pls)
• Synchronized Multimedia Integration Language files (.smil).

Unlike the flaw covered in our 22 October alert, RealNetworks has not found attackers exploiting these new flaws in the wild yet. Nonetheless, these security holes pose a serious threat to RealPlayer users. You should download, test, and deploy these new patches as soon as you can, whether or not you applied the previous RealPlayer update from Monday. How you download the updates differs depending on which product you use. Refer to the “Instructions” section of RealNetworks security update for detailed directions on patching the different media player products.

As a convenient reference, we’ve duplicated the 22 October RealPlayer alert, below. You can also find it in the LiveSecurity Latest Broadcasts archive.

Summary:

Late Friday, RealNetworks released a patch for a critical vulnerability affecting RealPlayer 10.5 and RealPlayer 11 beta running on Windows. By enticing one of your users to a malicious Web site, an attacker can exploit this vulnerability to execute code on your user’s computer, with your user’s privileges. In the worst case scenario, the attacker could gain total control of the victim’s PC. If you allow the use of RealPlayer in your network, have your users upgrade immediately.

Exposure:

RealPlayer and RealOne Player are widely-used software for Internet media delivery. RealOne Player plays virtually every major Internet media format, including Windows Media, Quicktime, MPEG-4, and even DVDs. If you’ve watched streaming videos on the Internet, or listened to music samples while buying CDs online, you’ve probably encountered RealPlayer.

WatchGuard does not recommend using RealPlayer or RealOne Player, partly because both contain automatic communication features which, by default, let RealNetworks and RealNetwork’s “partners” (such as NASCAR and CNN) install software on your client computers. But in reality, many of your users have probably installed one of these products, with or without your permission.

In a security update released late Friday, RealNetworks warned of a new vulnerability that affects RealPlayer 10.5 and 11 beta running on Windows. (OS X and Linux users are not affected.) The flaw, discovered in the wild by Symantec, involves a buffer overflow vulnerability in one of RealPlayer’s ActiveX controls (specifically, ierpplug.dll). By enticing one of your users to a malicious Web site, an attacker can pass an over-long parameter to the vulnerable ActiveX control, which triggers the buffer overflow flaw. The attacker can then exploit the flaw to execute code on your user’s computer, inheriting your user’s privileges. Windows administrators often give users local administrator rights. If the exploit is successful in that context, the attacker would gain complete control of your user’s machine.

Symantec found attackers exploiting this vulnerability in the wild. In other words, the bad guys found the flaw first and are actively using it to break into computers. If you use RealPlayer in your network, this vulnerability poses a critical risk. You should apply RealNetwork’s update immediately.

Solution Path:

RealNetworks has released a patch to correct this vulnerability. Clients who use RealPlayer 10.5 or 11 beta in Windows should upgrade immediately, or remove the software entirely. You can download RealNetwork’s patch here.

For All WatchGuard Users:

The vulnerability described in our alert uses normal HTTP traffic, which you must allow for your users to browse the Web. If you use RealPlayer in your network, you should download RealNetwork’s update as soon as possible.

Status:

RealNetworks has issued a Security Update that fixes the problem.

References:

• RealNetworks Security Update

Symantec’s RealPlayer Alert

Here’s a friendly reminder about our special promotion this Wednesday, October 17 for Telosa Basic! Exceed 2.0 fundraising software. Learn more about the promotion and this software’s powerful donor management tools at http://www.techsoup.org/stock/promo

 

Eligible nonprofits will be able to place orders for specially discounted Telosa Exceed! Basic fundraising software for only $90. After the special offer ends, our standard administrative fee of $299 will apply. This offer will be open for 8 hours only on October 17, from 8 am to 4 pm Pacific time (11 am to 7 pm Eastern time).

 

This extra-generous discount is available for a limited time thanks to Telosa. Learn more about the special offer at http://www.techsoup.org/stock/promo

 

ELIGIBILITY

This special offer is available to U.S. 501(c)(3) nonprofits, Canadian charitable organizations, and public libraries (U.S.

and Canada) with annual operating budgets less than or equal to US$500,000. For details on eligibility requirements, visit:

http://ga0.org/ct/C1LRaAn184Y4/

 

HOW TO PLACE YOUR PRODUCT REQUEST

Visit http://www.techsoup.org/stock/promo and place your product request at TechSoup Stock for 8 hours only on October 17, from 8 am to 4 pm Pacific time (11 am to 7 pm Eastern time).

 

IMPORTANT: Make sure your organization’s email address and mailing address is up-to-date in our records. To view or update your organization’s profile, follow these instructions on this web page: http://ga0.org/ct/VpLRaAn184YX/

 

ABOUT TELOSA EXCEED! BASIC

Exceed! Basic 2.0 fundraising software enables users to streamline and automate many of the routine, time-consuming tasks associated with fundraising and donor management. As a result, nonprofits can focus more time and resources on their missions. With Exceed! Basic, users can organize donor databases, track critical donor and gift information, efficiently communicate with donors via mailings and emailings, and generate reports to analyze fundraising campaigns. Learn more about Exceed! Basic at http://www.techsoup.org/stock/promo

 

SPREAD THE WORD!

Let your colleagues at other nonprofits know about the Telosa special promotion so that even more nonprofits can benefit from these savings.

 

On behalf of TechSoup Stock and Telosa, I look forward to your participation in our October 17 special event!

 

Sincerely,

 

Rebecca Masisak

Co-CEO, CompuMentor/TechSoup

Hacked GOP Site Infects Visitors with Malware
The now-infamous Storm Trojan horse is using new distribution methods to attack unsuspecting victims. Where it once used e-mail attachments or embedded links in spam, it has now turned to website exploits, recently infecting PC users through a Republican party website in Wisconsin, USA.

Read More

Germany Arrests 10 in Global Internet Scam Raids
After an 18-month probe, German police have arrested 10 people in Russia, Ukraine, and Germany in connection with an international Internet scam that may have cost hundreds of thousands of Euros from victims. The accused used phishing techniques to lure bank customers into answering fake Ebay or Deutsche Telekom e-mails, and then installed a Trojan horse to record their personal data.

Read More

Great Firewall of China More Like Chain-Link Fence
Researchers at the University of California at Davis and the University of New Mexico have proven that banned terms can slip through the government-imposed firewall for Internet surfing in China. Even with the occasional slip in security, most citizens still avoid searching for banned terms and concepts for fear that their Internet activity is being monitored by the Chinese government.

Read More

Financially Motivated Malware Thrives
As malware becomes more and more lucrative, software programs are being released that allow any unskilled hacker to earn a living sending spam. In September, a group of Russian hackers released a malware kit for $200 U.S. with information on how to become a master spammer.

Read More

They are sleek, they are powerful, and they are a wish list standard.  Smartphones, like iPhone and BlackBerry, are creating a collective buzz that can be heard worldwide.

The hype is well deserved.  Mobile devices have matured and with their coming of age we now have capabilities that seemed far-fetched only a few years ago.  For employees and executives the world over, smartphones make corporate data and applications available anytime, anywhere.

But just as a smartphone is now capable of downloading data and applications wirelessly, so can it download viruses, spyware, even pornographic content, without a user’s consent.  The use of flash memory cards on some phones opens yet another door for malware to spread to these devices.

The threat is real and growing.  A recent PC World article reports that malware writers are ramping up their activity in the mobile arena, learning from proof-of-concept threats and fine-tuning the amount of user interaction required to propagate the damage.

According to SMobile Systems, a company that specializes in mobile security, there are over 400 wireless threats currently, and more are predicted to arise by year’s end.  The threats can take many forms.  Among the attacks are those that attempt to delete data, those that record a user’s phone calls, and those that send SMS text messages with links to malicious web sites.

It is a simple equation:  greater use equals greater exposure.  The explosion in smartphone use and the productivity gains that come with it have increased the security risks for corporations.  Given their functionality, smartphones should be treated as an extension of the computing network system, just as desktops and laptops are.

Until recently, enterprises were wary of pushing business applications onto mobile devices.  Security concerns were also a primary focus for corporate users given the potential consequences and cost of exposing sensitive data.  But strong demand has begun to turn the tide.  In this endeavor, it is critical that IT organizations address security issues early on.

Different types of suppliers are working to deliver solutions – smartphone manufacturers, mobile networks, and security vendors – and increasingly finding that by coming together they have a better chance to prevent security issues from compromising the uptake of mobile technologies.

Matt Hines from InfoWorld recently spoke with several security executives. From Kara Hayes, a senior product manager at Nokia, he reports that encryption is one solution that is generating great interest.  And from Scott Totzke, from Research in Motion, the maker of the BlackBerry, he reports that customers are increasingly demanding ways of protecting data. The InfoWorld article quotes Totzke on customer’s needs:  “They want tools to kill information or lock it down when a handheld is lost, they want to encrypt sensitive data in transit and at rest, and there are growing concerns about compliance.”

Providers of security solutions are extending their reach by working directly with mobile operators.  One of them, Finnish company F-Secure offers security bundles through mobile operators, such as T-Mobile and Swisscom, and mobile handset manufacturers such as Nokia.

Time will tell if mobile threats escalate as is assumed that they will.  But following security best practices should be an equally wise move, whether using a smartphone or any other type of computing device.

“We suspect an unauthorized transaction on your account.  To ensure that your account is not compromised, please click the link below and confirm your identity.”

An e-mail communication that reads like this has probably appeared in your inbox recently.  Sounds official, doesn’t it?  Judging from the header on the e-mail, a trusted source has sent it – a government agency, your bank, your Internet service provider.

What will you do?

Anytime you receive an online request for personal information, you should treat it with a healthy dose of suspicion.  What appears to be a trusted source may, in fact, not be what it claims to be.  Chances are high that you have become a target of a highly individualized and persuasive attempt to steal your personal information for malicious purposes.  Phishing, as this type of attack is called, has become increasingly common.

A phishing attack can originate when personal data is stolen. Not much is required.  Bits of data can be simple enough, such as your e-mail address, telephone number and birthday. But those bits hold the potential for creating a profile of you that can be easily expanded through access to other sources of online information.

Resumes and CVs are a reservoir of useful data.  As recently as August of this year, resumes and CVs were the target of an attack on Monster, a popular employment website.  The attack, which began with stolen login credentials, enabled hackers to gain access to the Monster site and gather the personal information of over a million of its users.  According to news agency Reuters, Monster responded by shutting the server that was used to access the information, and contacting the affected users.

But the Monster security breach was only the start of the phishing attack.

Phishing e-mails can be tailored to exploit the information at hand.  For example, a Monster user could receive an e-mail that claims to be from a recruiter.  Upon clicking a link in the e-mail, the user could be directed to a fraudulent website that looks legitimate. From there the possibilities for acquiring additional data are limitless.

Some phishing e-mails contain software that can harm your computer or others, or track your activities on the Internet without your knowledge.

How can you avoid being the victim of a phishing scam?   The U.S. government, through its OnGuardOnline.gov website and National Cyber Alert System, has some practical tips to keep you safe online.

Responding to E-mail – If you are not sure whether an e-mail is legitimate, try to verify its identity.  Contact the source directly by using any previously obtained information – telephone number or type in the correct web address – instead of using the information provided in the suspicious e-mail.

Providing Information – Do not provide personal or financial information in an e-mail, or by clicking on a link included in an e-mail. E-mail is not a secure form of communication and legitimate companies do not ask for information in that way.  Also, do not send sensitive information over the Internet before checking a website’s security policy or looking for evidence that your information is being encrypted.

To help identify a malicious website, take note of its URL and see if it uses a variation in spelling or domain (such as .com versus .net).

Checking your Records – Review your bank and credit card statements as soon as you receive them and check for unauthorized charges.  Since victims of phishing can also become victims of identity theft, check your credit report periodically to see if any new accounts have been opened in your name.

Reporting Phishing Scams – Report these by sending an e-mail to reportphishing@antiphising.org.  The Anti-Phishing Working Group, a consortium of security vendors, financial institutions and law enforcement agencies, uses that information in their fight against phishing.