Winamp Flaw Allows Attacks
November 24, 2004
By Ryan Naraine
Users of America Online Inc.'s Winamp media player are at risk of remote
code execution attacks because of a flaw in the software, according to a
warning from a security research firm.
The flaw, which Secunia rates as "highly critical," has been reported in
Winamp versions 5.05 and 5.06. Prior versions also may be affected.
Security-Assessment.com, which is credited with finding the
vulnerability, said a malicious hacker could cause a buffer overflow in
various ways, the most dangerous being through a malformed .m3u playlist
"When hosted on a Web site, these files will be automatically downloaded
and opened in Winamp without any user interaction. This is enough to
cause the overflow that would allow a malicious playlist to overwrite
EIP and execute arbitrary code," the company said.
The vulnerability exists due to a boundary error in the "IN_CDDA.dll"
file," the company said.
Secunia recommends that users disassociate ".cda" and ".m3u" extensions
from Winamp until the vendor releases a fix.
News of the Winamp security issue comes amid reports that the last
members of the original Winamp team have said goodbye to AOL.
<http://www.eweek.com/article2/0,1759,1724485,00.asp> Only a few
employees remain to prop up the once-ubiquitous digital audio player
with minor updates, but no further improvements to Winamp are expected.
Winamp is maintained by AOL's Nullsoft division.
It is not the first time that security flaws have been flagged in
Winamp. Earlier this year, Nullsoft rushed out a critical fix
<http://www.winamp.com/about/article.php?aid=10605> for a vulnerability
found in the Winamp 3.0, 5.0 and 5.0 Pro versions.
That flaw was detected in the Winamp Skin installer mechanism and was
being exploited to automatically launch spyware applications without
PointerCheck out eWEEK.com's Security Center
<http://www.eweek.com/category2/0,1738,1237860,00.asp> for the latest
security news, reviews and analysis. And for insights on security
coverage around the Web, take a look at eWEEK.com Security Center Editor
Larry Seltzer's Weblog. <http://blog.ziffdavis.com/seltzer>
Copyright (c) 2004 Ziff Davis Media Inc. All Rights Reserved.