Unpatched RealPlayer Vulnerability Being Exploited in the Wild

Sometime on April 1, our honeypots began finding exploits for the RealPlayer 'rmoc3260.dll' ActiveX Control Memory Corruption Vulnerability (BID 28157). Sadly, this is not surprising given that a complete exploit was published for this vulnerability around the same time. At the time of this writing, there is no patch for this vulnerability.

So far impacted sites have ranged from forums, to webmail, to news agencies.

Norton Internet Security 2008, Norton AntiVirus 2008, and Norton 360 version 2 customers will see this attack blocked by the existing MSIE RealPlayer rmoc ActiveX BOIPS signature. Some variants of this attack may be blocked as HTTP Internet Explorer Heap Spray Buffer Overflow. Additionally, antivirus signatures are available for Bloodhound.Exploit.182, protecting customers from threats attempting to exploit this vulnerability.

Update: It appears that this vulnerability has been patched within RealPlayer version 11.0.2 (build, which is now available for download. It contains version of the rmoc3260.dll file, which we have determined no longer contains the vulnerability. Current RealPlayer users can use the Check for Update utility, which will also install a version of the .dll file that is no longer vulnerable to this exploit.