Beware of RealPlayer ActiveX flaw

Danish vulnerability clearinghouse Secunia is warning of a newly discovered security hole in the massively used RealPlayer application. The “highly critical” flaw, disclosed by researcher Elazar Broad, is unpatched at this point.

“The vulnerability is caused due to an error within the RealPlayer ActiveX Control (rmoc3260.dll) when handling the ‘Console’ property,” Secunia said in its SA29315 advisory. “This can be exploited to cause a memory corruption and execute arbitrary code when a user e.g. is tricked into visiting a malicious website.”

Secunia confirmed the flaw in RealPlayer version 11.0.1 (build 6.0.14.794) including rmoc3260.dll version 6.0.10.45. Other versions may also be affected, the firm warned.

Until a patch is released, users are advised to set the kill-bit for the affected ActiveX control.