“Extremely Critical” Winamp Security Issue

winamp.JPGThat would be straight from the horse’s mouth, so to speak. Secunia issued an extremely critical security bulletin for Winamp. Let me tell you – that rarely happens. Your best bet is to upgrade your WinAmp version to the latest – 5.13. The issue concerns boundary errors in playlists that cause a buffer overflow and give a malicious person control of your machine. Here is the complete warning that was issued from Secunia:

Some vulnerabilities have been reported in Winamp, which can be exploited by malicious people to compromise a user’s system.

1) A boundary error during the handling of filenames including a UNC path with a long computer name can be exploited to cause a buffer overflow via a specially crafted playlist containing a filename with an overly long computer name (about 1040 bytes).

NOTE: An exploit is publicly available.

The vulnerability has been confirmed in version 5.12. Other versions may also be affected.

2) A boundary error within the parsing of playlists (.m3u or .pls) can be exploited to cause a stack-based buffer overflow via a playlist containing an overly long, specially crafted filename.

The vulnerability has been reported in version 5.11 and does reportedly not affect prior versions.

The vulnerability is related to vulnerability #1.

3) A boundary error within the parsing of playlists containing a filename with a .wma extension can be exploited to cause a buffer overflow via a specially crafted playlist.

The vulnerability has been reported in version 5.094. Other versions may also be affected.

Successful exploitation of any of the vulnerabilities allows execution of arbitrary code on a user’s system when e.g. a malicious website is visited.

Solution:
Update to version 5.13.

NOTE: Vulnerability #2 was silently fixed in version 5.13. Vulnerability #3 was silently fixed in version 5.11.

(Source: Secunia)

Related Posts:

  • No Related Posts

One Response to “Extremely Critical” Winamp Security Issue

  1. Joe Anderson

    On the TWiT podcast I heard some high-profile saying no one used Winamp, so no one cared. I use Winamp, I care.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>