Attacks are actively exploiting a zero-day ActiveX vulnerability in RealPlayer, researchers warned today.
Javier Santoyo, senior manager of emerging technologies at Symantec Security Response, said the attacks appear limited in scope, but users nonetheless should take precautions.
"It hits RealPlayer, and RealPlayer is popular," he said. "And also it's unpatched."
When a user installs RealPlayer, the program installs a browser-helper object and an ActiveX control, which provide additional functionality when using the application in Internet Explorer. But the ActiveX control is flawed and permits attackers to pass long parameters and cause stack-based overflows, Santoyo said.
That results in the ability to execute arbitrary code and infect a victim's machine with a trojan downloader, he said.
RealNetworks spokesman Bill Hankes said that engineers are working on a patch "as we speak" and the company planned to provide a fix timeline today.
The vulnerability affects the most recent RealPlayer versions, 10.5 and 11, he said. The company has received no reports of compromised end-user PCs.
"We take any security vulnerability very seriously," Hankes said.
Santoyo said that in lieu of a patch, businesses can use any of several options to alleviate the threat. They can block the IP addresses used to perpetrate the attack, disable the browser prompt that permits active scripting to execute and set the kill-bit for the affected ActiveX control.