Friday, 4 January 2008
CA.com compromised / Zero-day RealPlayer flaw
The ISC reports that several websites have been compromised by a zero-day vulnerability in RealPlayer. The halware is hosted or routed via uc8010.com (currently down).
Surprisingly, one of the compromised web sites (since cleaned up) is ca.com (Computer Associates), who make the eTrust anti-virus product.
A Google search for uc8010.+com site:ca.com comes up with several dozen hacked pages, mostly press releases.
A look at a cached copy of the code shows a link to n.uc8010.com/0.js (don't visit this url) which then loads the exploit.
Note that everything here is a .gif to stop virus scanners freaking out.
To be fair, a lot of sites are compromised including government bodies and large corporations. It just goes to show that there's no such thing as a "safe site" any more.