[原文]The RACInstaller.StateCtrl.1 ActiveX control in InstallerDlg.dll in RealNetworks GameHouse RealArcade Installer 220.127.116.111 performs unexpected type conversions for invalid parameter types, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted arguments to the (1) AddTag, (2) Ping, (3) QueuePause, (4) QueueRemove, (5) QueueTop, (6) RemoveTag, (7) TagRemoved, or (8) message method.
No Vendor Response
GameHouse RealArcade Installer contains a use-after-free error in the RACInstaller.StateCtrl.1 ActiveX control (InstallerDlg.dll) that is triggered when the dispatcher attempts to convert invalid input types supplied as arguments for certain methods. With a specially crafted web page, a context-dependetn attacker can dereference already freed memory and execute arbitrary code.
It has been reported that this issue has been fixed. Upgrade to version 3.0.7 or higher, which no longer configures the ActiveX control as 'safe-for-scripting'.