RealNetworks has issued recently a fix for a zero-day flaw in its RealPlayer software involving the import method of an ActiveX control.
Symantec had earlier warned users about the new zero-day ActiveX RealPlayer vulnerability that was actively being exploited by online criminals this week.
According to an alert issued by Symantec DeepSight Threat Management System, “The issue affects an ActiveX object installed by RealPlayer, accessible over the web using Internet Explorer. By instantiating the object and invoking a specific method an attacker is able to corrupt process memory and execute arbitrary code with the privileges of the browser,” ZDnet writes.
Reports of the attacks are currently limited to just a few websites, and appear to be targeting specific organizations. There have been reports that NASA banned the use of Internet Explorer because of this vulnerability.
On RealNetworks’ Web site post, users of its RealPlayer 10.5 and RealPlayer 11 (beta) are advised to install the patch to address the security vulnerability that could provide the potential for an attacker to run arbitrary or malicious code on their PC.
To ensure this security vulnerability is addressed, users of RealOne Player, RealOne Player v2 and RealPlayer 10 are also advised to upgrade immediately to RealPlayer 10.5 or RealPlayer 11 beta and install the available patch.
Macintosh and Linux versions of RealPlayer as well as RealPlayer 8 and earlier versions of RealNetworks software for Windows are not affected.