関連
http://d.hatena.ne.jp/noushibou/20080726/1217023678
7/30 追記で書きましたが、Secunia Online Software Inspector ではリストアップされますが、Secunia PSI (RC3)では Insecure Programs にはリストアップされなくなったものの、Patched Programs にもリストアップされません。
Solution:
Update to the latest versions. Please see the vendor's advisory for details.
http://service.real.com/realplayer/security/07252008_player/en/NOTE: Vulnerability #1 is not fully fixed in the updated RealPlayer 11.0.3 Build 6.0.14.806 and users are advised to set the kill-bit for the ActiveX control.
RealNetworks RealPlayer Multiple Vulnerabilities - Secunia Advisory:SA27620
Changelog:
2008-07-28: Updated advisory based on additional information from vendor and ZDI. Updated "Solution" section. Added additional affected software versions, CVE references, credits, and links in "Original Advisory" and "Other references" sections.
2008-07-29: Updated advisory based on additional information from Secunia Research showing that the updated RealPlayer 11.0.3 Build 6.0.14.806 is still affected by vulnerability #1 when handling the "Controls" and "WindowName" properties. Updated status and "Solution" sections.
今頃気付いたけど、 設定してあるKillBitは解除していないけど、
Vulnerability Note VU#461187 RealPlayer file deletion overflow vulnerability - US-CERT
Disable Active X control
Setting the kill bit for the {FDC7A535-4070-4B92-A0EA-D9994BCC0DC5} CLSID may prevent this vulnerability from being exploited by a remote attacker. See US-Cert Vulnerability Note VU#871673 for more information on how to disable this control.
こっちの話だと、KillBit設定していないよなぁ。。。ってことで設定しておきますか。
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}]
Vulnerability Note VU#871673 RealPlayer playlist name stack buffer overflow - US-CERT
"Compatibility Flags"=dword:00000400
