I wrote yesterday about a zero day possibly targeting NASA. This morning Symantec posted news of a Real Player exploit on the loose.
“The issue affects an ActiveX object in the RealPlayer component ierpplug.dll.” While there is no patch available, you can set activeX kill bits. (Google for how to do that). I am deploying that in my enterprise now.
RealNetworks has issued a patch for this vulnerability that users can download here – http://service.real.com/realplayer/security/191007_player/en/
For more information about these patches and how the new RealPlayer has been improved, please visit the RealPlayer blog at http://www.realplayer.com/blog.
Matt Spragins
Real Networks
Yep, you guys got that out really fast. I blogged about that here: http://www.infosecblog.org/2007/10/real-fix-available.html but I neglected to set a trackback or update this post. I’ve had limited time this week.
thanks for the link to the real blog, I wasn’t aware of that.