RealPlayer Zero Day Exploit Hits the Web

Last night we obtained a sample of a RealPlayer zero day exploit.  RealPlayer 11 Beta, 10.5, and older versions are affected.  Today’s DAT release, version 5145, contains detection under the name Exploit-RealPlay.a.  At this point, exposure appears to be limited, but we can expect public exploit code to surface before too long.  At that point exploitation is likely to follow the path of many other drive-by exploits and become fairly well distributed.

The vulnerability lies in a RealPlayer ActiveX control, and can be mitigated by setting the appropriate kill bit via the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\
ActiveX Compatibility\{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5} 

While we generally keep this blog research focused (and shy away from mentioning products), zero day exploit announcements seem half-done without some mention of information on how our products deal with the threat.

McAfee product coverage information will be sent out via a McAfee Avert Labs Security Advisory service shortly.  This includes coverage information for the following product lines.

• All McAfee virus scanning technologies that utilize the DAT files, including:
• GroupShield
• LinuxShield
• PortaShield
• Secure Internet Gateway
• Secure Messaging Gateway
• Secure Web Gateway 
• Total Protection (TOPS)
• VirusScan Enterprise
• VirusScan Online
• VirusScan Enterprise Buffer Overflow Protection
• Host IPS
• IntruShield
• Foundstone
• McAfee Network Access Control (MNAC)
• McAfee Policy Auditor and McAfee Remediation Manager compliance