While RealPlayer is not as widely used on adult entertainment websites as are other video technologies, such as Windows Media Player and Adobe’s Flash Video, the attack is still cause for concern amongst website operators.
The vulnerability was reported by security expert Evgeny Legerov of GLEG Ltd., and according to SANS’ Scott Fendley involves “JavaScript obfuscations, multiple I-frame redirectors to and from internal pages, and scripts within the domains.”
An unspecified error that can cause a buffer overflow in the handling of playlist names is blamed for the vulnerability, which can allow remote hackers to execute arbitrary code; inflict denial of service attacks; or even completely control affected systems.
There is currently no reported remedy for this vulnerability other than limiting user’s multimedia playback to systems other than RealPlayer.
According to SANS, the attacks are coming from files named 0.js and r.htm, and hosted on the uc8010.com, ucmal.com and rnmb.net domains; although files and domains are subject to change as the problem is being pursued.
Blocking these domains is highly recommended, as is removing the RealPlayer software.
“The campaign's success entirely relies on the eventual presence of RealPlayer on the infected machine,” Dancho Danchev, an Internet security consultant, said.
According to SANS, the embedded exploits are turning up on social networking sites such as MySpace and have compromised numerous websites, including governmental and educational sites, as well as the website of security software vendor CA.