Slashdot Mirror

← Back to Stories (view on slashdot.org)

WinXP and WinAmp Vulnerable to Malicious MP3s

Posted by michael on from the cruddy-music dept.

mypenwry writes "Foundstone, a Mission Viejo, CA security services company, is reporting several vulnerabilities that would allow malicious code embedded in MP3 and WMA files to be executed via WinXP and WinAmp. WinAmp versions 2.81 and 3.0 are vulnerable to buffer overflows via certain long ID3v2 tags when MP3 files are loaded. More troubling is the WinXP vulnerability: A buffer overflow exists in Explorer's automatic reading of MP3 or WMA (Windows Media Audio) file attributes in Windows XP. An attacker could create a malicious MP3 or WMA file, that if placed in an accessed folder on a Windows XP system, would compromise the system and allow for remote code execution. The MP3 does not need to be played, it simply needs to be stored in a folder that is browsed to, such as an MP3 download folder, the desktop, or a NetBIOS share. This vulnerability is also exploitable via Internet Explorer by loading a malicious web site. Explorer automatically reads file attributes regardless of whether or not the user actually highlights, clicks on, reads, or opens the file. Windows XP's Explorer will overflow if corrupted attributes exist within the MP3 or WMA file. Microsoft has issued a fix for this vulnerability. Nullsoft has posted fixed version of WinAmp 2.81 and 3.0 on their web site."

7 of 498 comments (clear)

  1. Uh Oh by Jaysyn · · Score: 5, Insightful

    I hope no one tells the RIAA about this. They will be putting landmines in P2P soon.

    Jaysyn

    --
    There is a war going on for your mind.
  2. Re:won't affect most people by Jucius+Maximus · · Score: 5, Insightful
    "This is more of a curiosity than any sort of danger. Most of us, when we get a new mp3 file, give it a listen to make sure it's not mislabeled, doesn't cut off in the middle of the song, and sounds okay. We throw out or fix the ones that aren't up to our standards. So the number of people who would let one of these dangerous mp3s just sit there and be scanned is probably pretty small."

    That average person does not notice when a backdoor app is covertly installed on their machine. As long as the mp3 is actually what they wanted, chances are they will keep sharing it.

    The even more dangerous part is that someone could be downloading mp3s and LOOKING for these trojans. And as soon as they find one, they can just go back to the IP of the machine they got the file from and have an instant DDOS zombie!

    Or even better, if I am an RIAA employed disturber-of-the-peace, I could create a bunch of these trojaned mp3s share them, and then whenever someone downloads it from my machine I could instantly use the backdoor to destroy their music collection. (But I'm sure the RIAA has already thought of that.)

  3. In defense of Microsoft... by MacAndrew · · Score: 5, Insightful

    Oh, just kidding. :)

    I would like to ask for factually-based opinions whether these innumerable highly dangerous security holes in MS software are more the result of the ingenuity of the hackers or the incompetence of the Microsoft design and testing process, or about 50:50. I am inclined to be prejudiced against Microsoft, so I would be REALLY interested in hearing reasoned defenses of their predicament, if such exist.

    So, please, no MICROSOFT RULZ!!! or MICROSOFT SUX!!! I'm not asking for a vote.

    Microsoft provides the #1 small-system OS, for better or worse, which means Windows will immediately be the hot target for black-hat types intent on spreading misery or demonstrating their hatred for the leviathan.

    I know, too, that half the problem has been MS's arguably foolhardy decisions in adding dubious extensions to their software, like default enabling scripting in Outlook and macros in Word. But I'm kind of curious about the mistakes in doing their core work, like handling MP3's.

    Last, I have trouble understanding how so many of these bugs come from a company with many of the brightest programmers. Is it a largely problem of scale and bureaucracy?

    Share your concise insightful informative nonprofane fact-based reactions from experience? :)

  4. Re:So click the update button by div_2n · · Score: 5, Insightful

    So if NT SP4 had been automatically updating servers and workstations everywhere, that would have been a good thing?

    You couldn't pay me to have my system automatically update itself with patches tested quite possibly only from the company that created it.

    I would rather my system be vulnerable for a day or two than have the contents of my hard drive obliterated.

    What if some patch disabled a computer's networking? What is Ma an Pa gonna do when that is the only computer they have? Download a fix using broken networking?

    IMHO, automatic updating is a monumental disaster waiting to happen.

  5. Re:So click the update button by MacAndrew · · Score: 5, Insightful

    Like another poster I am very wary of updates to anything. Not needing a security patch in the first place is a heckuva lot better than beta testing a hastily written patch for free. Then there are th people who get nailed in the interim.

    Also, on my [platform] I have seen only a few security updates a year on a young OS, some addressing obscure services I don't even use. What's the deal with MS? Why sweep this under the rug?

    I don't buy that automatic bandaids are the answer to hemmoraging code.

  6. Re:What if this IS the plan? by Didion+Sprague · · Score: 5, Insightful

    Which brings me to a slightly off-topic question (but not that far off-topic): won't it take just a single compomised DRM file on whatever platform to completely send the whole DRM concept -- at least the generation with the single compromised file -- down the toilet?

    I mean, it would seem to me that Microsoft's DRM -- or DRM in general -- is based somewhat on "human" trust. Once that trust is abrogated -- just once -- the whole thing spirals into a "well, it's still pretty secure" type of situation -- and then sprials into "wait'll next generation's DRM. It'll be secure as hell."

    I know no cryto scheme is 100% -- at least in theory -- but because the consumer/DRM stuff is being built up and hyped so much lately, it seems that its potential -- potential for complete security, potential for complete failure -- far outstrips the more practical, usability/crackability aspects.

    And then I wonder: once this sort of consumer/DRM is launched mainstream, it'll become -- eventually -- embedded into the economic model for distribution. But once this DRM stuff is cracked or broken or whatever happens, the DRM itself will fall apart, as well the economic model. And companies who go balls-out to invest in this stuff -- and work hard to secure the "human" trust aspect of it -- will be in dire, dire straits -- economically, technologically, you name it.

    DRM is like a massive WMD waiting to be let loose. It's failure -- assuming it fails at least once a generation -- will sink more companies than I think anyone realizes.

    Just some thoughts.

  7. Re:XMMS too. by Ducky · · Score: 5, Insightful

    Really? Where's the bug report? I don't see anything on bugs.xmms.org.

    Sorry for sounding like an a-hole, but an AC exclaiming a bug in a product, no follow up on the product's web site, and no other info sounds very suspect to me.

    -Ducky