Exploit code found serving from popular advertising site

RealNetworks Inc. said it would publish a patch later Friday for its RealPlayer media program to protect users from ongoing attacks. Less than 24 hours before, Symantec Corp. had issued a high-level alert that warned of a critical vulnerability in RealPlayer that could be used against anyone browsing the Web with Internet Explorer.

The bug came to light after the NASA space agency warned employees of a spike in attacks that it said originated from advertisements placed on “well-known” but unnamed news sites.

“Real has created a patch for RealPlayer 10.5 and RealPlayer 11 that addresses the vulnerability identified by Symantec on 10/18,” said Russ Ryan, RealPlayer’s general manager for product development, in a posting to a company blog today.

NASA knew first

Late Thursday, Symantec released a warning to customers of its DeepSight threat network that said an ActiveX control installed by RealPlayer was flawed. When combined with Microsoft Corp.’s Internet Explorer (IE) browser — which relies on ActiveX controls to extend its functionality — the bug can be exploited and malicious code downloaded to any PC that wanders to a specially crafted site.

Only systems on which both RealPlayer and IE have been installed are vulnerable.

Symantec hinted that it first found out about the vulnerability by reading a blog that had posted information about the bug Wednesday morning. The blogger, identified only as Roger, claimed that NASA had warned workers not to use IE because of an unspecified problem with RealPlayer.

On Friday, agency spokesman Mike Mewhinney confirmed Roger’s account. According to Mewhinney, who works at the Ames Research Center south of San Francisco, the alert went out Tuesday. Employees were told of a surge in security problems at Ames and other NASA centers, and informed that systems running IE and RealPlayer had been infected, apparently by malicious code downloaded after visiting legitimate sites.

“Recent indicators point to well-known news sites which may be hosting advertisements from ad servers that redirect the users to malware hosting sites,” the NASA warning said. Workers were also instructed to limit their use of IE to browsing NASA’s intranets, and to “Use non Internet Explorer browsers, such as Mozilla Firefox, Opera, etc., for sites external to NASA.”

Symantec ranked the attack as a “10″ on its urgency scale because it confirmed that attacks were being conducted in the wild; those attacks had resulted in malicious code downloaded to victimized PCs. Originally, however, Symantec saw a silver lining, and said in the Thursday warning that: “We are not currently aware of widespread exploitation of this issue,” the company’s warning read.

But then…

By Friday, however, Symantec had changed its tune.

After retracing attacks on one of its honeypots, Symantec said the exploit code was embedded in advertisements served by 247realmedia.com, a New York-based digital marketing company that’s part of WPP Group PLC, a U.K.-based marketing giant with revenues of $12.1 billion in 2006. WPP may be better known for some of the 200+ companies under its logo, including ad agency J. Walter Thompson (now JWT), and the public relations company Hill & Knowlton.

The ads served by 247realmedia, Symantec continued, were shown on Tripod.com, the Web hosting service owned by Lycos. Anyone running IE on a PC with RealPlayer also on board whom then visited any Tripod-hosted site with the URL “name.tripod.com” would end up infected.

“To emphasize the severity of this attack, [the ad-called script] is embedded and called in every tripod.com user webpage,” said Symantec in the Friday follow-up analysis.

Other evidence, said Symantec, indicated that attacks had been going on since at least Oct. 8.

Multiple versions of RealPlayer install the ActiveX control, including the current 10.5 and the beta of Version 11, the only two versions that will be patched. Users running older editions — including RealOne Player, RealOne Player v2 and RealPlayer 10 — must first upgrade to 10.5 or 11 before applying the patch.

The RealPlayer 10.5 and 11 patches are to post to the RealNetworks security page before midnight (Pacific) on Friday.

Leave reply

Back to Top