RealPlayer 10.5 ビルド: が Secunia PSI (RC3)では検出されない件から気付いたこと

7/30 追記で書きましたが、Secunia Online Software Inspector ではリストアップされますが、Secunia PSI (RC3)では Insecure Programs にはリストアップされなくなったものの、Patched Programs にもリストアップされません。

Update to the latest versions. Please see the vendor's advisory for details.

NOTE: Vulnerability #1 is not fully fixed in the updated RealPlayer 11.0.3 Build and users are advised to set the kill-bit for the ActiveX control.

2008-07-28: Updated advisory based on additional information from vendor and ZDI. Updated "Solution" section. Added additional affected software versions, CVE references, credits, and links in "Original Advisory" and "Other references" sections.
2008-07-29: Updated advisory based on additional information from Secunia Research showing that the updated RealPlayer 11.0.3 Build is still affected by vulnerability #1 when handling the "Controls" and "WindowName" properties. Updated status and "Solution" sections.

RealNetworks RealPlayer Multiple Vulnerabilities - Secunia Advisory:SA27620

今頃気付いたけど、 設定してあるKillBitは解除していないけど、
Vulnerability Note VU#461187 RealPlayer file deletion overflow vulnerability - US-CERT

Disable Active X control

Setting the kill bit for the {FDC7A535-4070-4B92-A0EA-D9994BCC0DC5} CLSID may prevent this vulnerability from being exploited by a remote attacker. See US-Cert Vulnerability Note VU#871673 for more information on how to disable this control.


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}]
"Compatibility Flags"=dword:00000400

Vulnerability Note VU#871673 RealPlayer playlist name stack buffer overflow - US-CERT