Print this article  |  E-mail this article  |  Comment on this article

Critical Security Flaw Found in Winamp

By Nate Mook, BetaNews

January 30, 2006, 12:37 PM

UPDATED An "extremely critical" security vulnerability has been discovered in AOL's Winamp digital media player, relating to the way the software handles filenames that include a computer name. An exploit has already surfaced for the flaw, which affects version 5 of the software.

By late Monday, Winamp developers had already released version 5.13 of the software, which plugs the security hole.

According to an advisory by Secunia, the vulnerability "can be exploited to cause a buffer overflow via a specially crafted playlist containing a filename starting with an overly long computer name." A successful attack can lead to arbitrary code being run on a user's computer.

The problem was first reported alongside the exploit created by ATmaCA, and utilizes a specially crafted playlist file to overflow Winamp. The PLS file can simply be loaded remotely through an IFRAME on a Web site.

This isn't the first critical vulnerability to hit AOL's popular player. Last July, a bug was discovered in Winamp's handling of ID3v2 tags. That issue also involved a buffer overflow that could have led to a remote system compromise, but it required some user interaction.

Add a Comment (48 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By xyzcb1

posted Jan 31, 2006 - 3:11 PM

I think winamp version 3 and about just over done. Why not just stay as a basic music player. I still using 2.64, and it serve me well. Version 5 just over kill and it lags when go from song to song when you have a list of hundreds of songs.

Score: 0

By GimieGimieGimie

edited Jan 31, 2006 - 9:20 AM

Running latest version of Winamp (v5.13) on my Pentium II 266mhz laptop running Windows Server 2003, playing a a list of over 50 songs and Windows Task Manager reports a CPU usage between 1-4% and a memory usuage ranging from only 2,560k - 3,664k running a classic Winamp v2.0 Skin.

This is exactly why i love Winamp & have always loved Winamp since i first installed it back in 1998, it does its job with lots of features/options to choose from & does it with minimum fuss and system resources.

My deal has always been this:

WMP for video.
Winamp for music.

My choice of formular for the past 8 years & it has never let me down. Winamp has always been s*** at video, i don't know why they even bothered other then they was bored.

To be quite frank, i can't believe AOL hasn't completely bloated this thing to high heavens yet!

Fingers crossed, they never will.

Score: 0

By rijp

posted Jan 31, 2006 - 12:05 PM

PII? Dude, this is the 21st century.

Score: 0

By GimieGimieGimie

posted Jan 31, 2006 - 5:25 PM

lmao, you would be shocked how much a pentium II can actually do!

I dug it out of the attic a year or so ago, and with a 5GB hd and 192mb ram, I've got it running Windows Server 2003, full office applications, playing gigs of music, porn, wireless internet.

It's a little slow at multi-tasking obviously, but seriously, a lot of today's computers power is purely for gaming and video editing.

Score: 0

By joeshmoe7

posted Jan 31, 2006 - 1:31 PM

totally... time to overclock it to 300!

Score: 0

By shicaca

posted Jan 31, 2006 - 1:59 AM

I stopped using that POS when they decided to make a non-skinned version of it take longer to open than WMP, and take just as long to open as iTunes. If iTunes worked with WMA files and could handle most video types, I'd use that solely, but for now I use three of them and am very happy. To hell with AOL and to hell with Winamp

Score: 0

By ryusen

posted Jan 31, 2006 - 1:22 PM

the version 3.x series was just horrible, after they released the 5.x series it was more like the old winamp again, but with the media lib, which is really nice.

Score: 0

By rijp

posted Jan 31, 2006 - 12:06 PM

Good don't use it. winamp is the best. Period. Obviously you have a problem, the rest of us Winamp lovers don't.

Score: 0

By chrisjpopp

edited Jan 31, 2006 - 12:26 AM

Might I suggest www.9412.com for Classic Rock That Matters? The station's been around for over 6 years and have live dj's.

oh yeah - they got a chat room and message board too... along with 15,000 songs in the music library.

Score: 0

By Fickleflame

posted Jan 31, 2006 - 10:25 AM

relevance?

Score: 0

By rijp

posted Jan 31, 2006 - 12:06 PM

SPAM!!

He is advertising, maybe he gets a kick back.

Score: 0

By Bains

edited Jan 30, 2006 - 6:23 PM

Winamp 5 with MMD3 skin and i am a happy camper. Other media players can't touch it.

Score: 0

By wincement

posted Jan 31, 2006 - 12:06 AM

What about XMPlay with the MMD3 skin? =)

Score: 0

By rijp

posted Jan 31, 2006 - 12:08 PM

Like the man said, other media players can't touch it...

Winamp is king, get used to it.

Score: 0

By ZenWarrior

posted Jan 30, 2006 - 5:31 PM

Winamp 5 Full 5.13, the now-fixed version, is available here at FileForum for download. (That was fast!)

And, I'll likely be using Winamp until they pry it from my cold dead hands. I continue to try others (e.g., JetAudio, Quintessential, etc.), but always seem to come back to good old Winamp. If nothing else, its auto-stop for incoming Skype calls will keep it in the running for me. (And if there are other players that do that, I'd very much like to know what they are. TIA.)

Score: 0

By drumcat

posted Jan 30, 2006 - 4:50 PM

2.95 is still, by far, the champ.

Score: 0

By crashoverride

posted Jan 31, 2006 - 1:12 AM

aaa yes, the good ole days. I believe I still have an installer for it. I may have to dig it up.

Score: 0

By kholdstare

posted Jan 30, 2006 - 4:59 PM

ok i guess i'll use it then just let me open winamp 5 and make it a classic skin.. there now i have winamp 2.9x on my PC

Score: 0

By drumcat

posted Jan 30, 2006 - 8:23 PM

While you're skinning your latest unsafe code, just know that you're just pretending to be 2.95. ;)

Score: 0

By lokanetra

posted Jan 30, 2006 - 4:09 PM

I'm using winamp 5.2 build 359 beta.

Works like a charm.

Score: 0

By rijp

posted Jan 31, 2006 - 12:09 PM

Good man.

Score: 0

By bourgeoisdude

posted Jan 30, 2006 - 4:06 PM

Never used Winamp--well did on someone elses' computer for playing an mp3 once or twice but that's about it. Why learn something new when all I need is doable in WMP Classic and WMP 10? (yep I use MS, it's what I'm used to and it does what I want. Go ahead and bash away)

Score: 0

By spiffyjeff

posted Jan 30, 2006 - 4:58 PM

"yep I use MS, it's what I'm used to and it does what I want. Go ahead and bash away"

Hey, do what you wanna do, I'm sure you already know that MP Classic is not MS, and it is Open Source Software (OSS), and it does work pretty damned good :-)
http://sourceforge.net/projects/guliverkli/

Score: 0

By bourgeoisdude

edited Jan 30, 2006 - 6:17 PM

Yes I did, however when I say "MP Classic" I am actually refering to Windows Media Player 6.4x from microsoft. I do use WMP Classic on my XP system when WMP10 can't play the 8-bit mono audio files (Why is that? Two different installs of XP PRO and one x64 bit edition and NONE of them can play the simple 8-bit mono .wav files), but my Win2k I stick with WMP 6.4. Yes the _original_ Windows 2000 CD (w/no service packs) came with WMP 6.4, and I love it.

Also love not having to install the bloat known as Sun Java--MS hasn't had a single exploit reported in msjava since a month before the lawsuit and my parent's Dell system can't stop getting errors with the blasted java plug in, no matter the version. Using XP Gold CD and then upgrading to SP2 (where msjava runtime stays on the system) I have yet to have any problems or errors that are Java related. Also no exploits.

Sorry for the tangeant just had to get that stuff outta my system...

Score: 0

By klingon379

posted Jan 31, 2006 - 2:33 AM

How did you get a WinXP gold CD that has MS Java? I preordered WinXP directly from Microsoft before it came out and my copy of WinXP doesn't have MS Java on the CD. At the time it was an Install on Demand download in Internet Explorer 6.

Windows 2000 was the last version of Windows to include MS Java on the installation CD.

Score: 0

By rijp

posted Jan 31, 2006 - 12:11 PM

Depends on when you got it. There was a time when XP came with Java, then it was removed, then it was replaced. SP1 no java. There was even a java removal tool. There was a SP2, with no java about the time Sun decided MS could pay them to have it, SP2 official release has Java.

So depending on which version of XP you have, some have Java, some don't... So its possible.

Score: 0

By leojei

posted Jan 31, 2006 - 10:15 AM

If you're ordering it now, more-likely you'll get a XP cd with SP2 in it, which has JVM removed during the slipstream. But if you ordered the cd back in 2001 or 2002 before SP1 is out, then you'll get that JVM.

Score: 0

By bourgeoisdude

posted Jan 31, 2006 - 10:54 AM

Technically, The whole SP1 vs SP1a is where MSJava disappeared. The original SP1 was only available for download a month before SP1a replaced it though--only saying it is possible a slipstreamed SP1 CD could have had msjava, but very unlikely as it was nuked once SP1a came out.

Score: 0

By asellus

posted Jan 31, 2006 - 2:42 AM

My Windows XP vanilla CD from 2002 does have MS Java engine.

Score: 0

By apexracer

posted Jan 30, 2006 - 2:43 PM

winamp is by far my preferred player - hope all goes well for them with this.

Score: 0

By DJGM

edited Jan 30, 2006 - 2:34 PM

How does this affect those of us that still prefer to stick with Winamp 2.9x?

Score: 0

By kholdstare

posted Jan 30, 2006 - 2:19 PM

I don't get how People say Winamp is outdated. I guess i can understand the media player thing but every other player out there now is like a fullscreen music player and I hate those kind.I love Winamp because it is so flexable and when AOL does finally kill it people will still be making plugins for it to keep it up to date.

Score: 0

By Desides

posted Jan 30, 2006 - 3:04 PM

People say Winamp is outdated because it isn't updated every week, and because it IS an old program. Winamp 5 is pretty damned good, and against the likes of Foobar2K and iTunes, that's quite an accomplishment.

I wish AOL would port the thing to OS X. Leaving Winamp (and its plugins) behind is one of the things preventing me from getting a Mac.

Score: 0

By bobthegoat2001

posted Jan 30, 2006 - 10:34 PM

But then it really wouldn't be Winamp. They would have to call it Macamp.:)

Score: 0

By Desides

posted Jan 31, 2006 - 9:29 AM

Macamp is fine with me. I just want it on OS X.

Score: 0

By kholdstare

posted Jan 30, 2006 - 5:04 PM

a operating system or a virus program I can understand but why would a media player need to be updated every week?

Score: 0

By panic82

posted Jan 30, 2006 - 1:30 PM

Wow big surprise. Winamp was once a great audio player, but that was a long time ago...

Score: 0

By rijp

posted Jan 31, 2006 - 12:15 PM

Obviously you don't keep up. winamp may have had early problems, but its been fixed. Its now the best media player..

Just because software didn't work a long time ago, doesn't mean it can't get better. Every software benefits from mistakes if they are smart.. Winamp has taken advantage of better technology, and its now the best.

Score: 0

By Desides

posted Jan 30, 2006 - 3:02 PM

Winamp is still a great audio player.

Score: 0

By PC_Tool

posted Jan 30, 2006 - 1:41 PM

foobar.

Score: 0

By zee7

edited Jan 30, 2006 - 9:35 PM

2nd. Foobar is fast, clean, and lean, but you can pork it up to look nice & pretty if you like. Hasn't ever had any critical security flaws either as far as I know.

Score: 0

By xpose

posted Jan 30, 2006 - 1:22 PM

"Secunia recommends the use of a different media player software for the time being, although users can mitigate any risk by not visiting any unknown Web pages."

Such a wordy sentence for saying its NOT a big deal. Not too many people aim to take advantage of vuln winamp users. People love winamp. Malicious users won't take advantage of users of software they like. So this is hardly a critical problem =\

Score: 0

By expert01

posted Jan 30, 2006 - 1:32 PM

Yeah, what's the point of exploiting vulnerabilities in really popular software?

Score: 0

By rijp

posted Jan 31, 2006 - 12:18 PM

Umm.. to ensure thay they are working properly? Duh!

What's the point of testing products, to make sure they work the way they are supposed to..

Problem solving isn't your strong suit is it?

Score: 0

By benski

edited Jan 30, 2006 - 2:16 PM

A patched in_mp3 is available from
http://www.winamp.com/in_mp3.dll

Place this file in C:\Program Files\Winamp\Plugins.

An updated version of Winamp should be available by the end of the day.

Score: 0

By se7en11

posted Jan 30, 2006 - 1:46 PM

Mirror: http://www.se7en11.com/temp/in_mp3.dll

Score: 0

By nant`

posted Jan 30, 2006 - 3:06 PM

Winamp 5.13 released.
http://forums.winamp.com...?s=&threadid=236744

Score: 0

By arossetti

posted Jan 30, 2006 - 3:25 PM

Well, THAT was quick :)

Score: 0

Nov 21 - 9:29 PM ET Hurd's the word in Ballmer's e-mail nightmares

Nov 21 - 6:51 PM ET Coalition urges better laws for e-mail and cell phone privacy

Nov 21 - 6:42 PM ET How is Internet advertising faring in this bad economy?

Nov 21 - 6:15 PM ET From out of the Amazon Cloud, an AWS winner emerges

Nov 21 - 5:20 PM ET Mufin music finder enters public beta, adds widgets

Nov 21 - 5:01 PM ET Google launches its SearchWiki semantics plug-in

Nov 21 - 4:57 PM ET Asus previews a slimmer, less costly Eee PC

Nov 21 - 4:32 PM ET New Adobe Media Player ushers in AIR 1.5

Nov 21 - 2:11 PM ET AT&T to add Pantech's low-cost C630 phone to 3G lineup

Nov 21 - 1:11 PM ET iPhone gets firmware 2.2 update