Real Player Internet Explorer vulnerability

Martin Brinkmann
Mar 13, 2008
Updated • Dec 10, 2012

Internet Explorer with an installed version of Real Player beware. A vulnerability has been discovered recently which could allow remote code execution. According to Zdnet users should either switch browsers for the time until an patch is released or disabling killbits for two Active X classes. They forgot to mention the third option which would be to uninstall Real Player (temporarily).

Affected are all Real Player versions running under Internet Explorer. Microsoft has an article up that explains Killbits and what they do.

The kill bit is typically set for a reason that may be critical, and because of this, extreme care must be used when you unkill an ActiveX control. Also, because the following procedure is highly technical, do not continue unless you a very comfortable with the procedure and you it is a good idea to read the whole procedure before you start.

The CLSID for an ActiveX control is a GUID for that control. You can prevent an ActiveX control from running in Internet Explorer by setting the kill bit so that the control is never called by Internet Explorer when default settings are used.

The kill bit is a specific value for the Compatibility Flags DWORD value for the ActiveX control in the registry. This is different from revoking the "safe for scripting" option in an ActiveX control. When the "safe for scripting" option is revoked, Internet Explorer still calls for the control and then prompts you with a warning message that the ActiveX control may be unsafe. Depending on the choice you make, the control may be run. However, after the kill bit is set for an ActiveX control, that control is not called by Internet Explorer at all unless the Initialize and script ActiveX controls not marked as safe option is enabled in Internet Explorer. To set the kill bit, follow these steps:

They basically prevent Active X controls from being loaded in Internet Explorer. I still would recommend to either switch to Firefox or Opera temporarily or uninstall Real Player for the time until a security patch has been created.

Researcher Elazar Broad has posted to the Full Disclosure mailing list a so-called heap overflow vulnerability that makes it possible for an attacker to modify heap blocks after they are freed and overwrite certain registers.

The killbits that should be disabled are the following:

  • 2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93
  • CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA

This will definitely have the effect that some Real Player functions will stop working properly.


Previous Post: «
Next Post: «


Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.