Slashdot Mirror

← Back to Stories (view on slashdot.org)

WinXP and WinAmp Vulnerable to Malicious MP3s

Posted by michael on from the cruddy-music dept.

mypenwry writes "Foundstone, a Mission Viejo, CA security services company, is reporting several vulnerabilities that would allow malicious code embedded in MP3 and WMA files to be executed via WinXP and WinAmp. WinAmp versions 2.81 and 3.0 are vulnerable to buffer overflows via certain long ID3v2 tags when MP3 files are loaded. More troubling is the WinXP vulnerability: A buffer overflow exists in Explorer's automatic reading of MP3 or WMA (Windows Media Audio) file attributes in Windows XP. An attacker could create a malicious MP3 or WMA file, that if placed in an accessed folder on a Windows XP system, would compromise the system and allow for remote code execution. The MP3 does not need to be played, it simply needs to be stored in a folder that is browsed to, such as an MP3 download folder, the desktop, or a NetBIOS share. This vulnerability is also exploitable via Internet Explorer by loading a malicious web site. Explorer automatically reads file attributes regardless of whether or not the user actually highlights, clicks on, reads, or opens the file. Windows XP's Explorer will overflow if corrupted attributes exist within the MP3 or WMA file. Microsoft has issued a fix for this vulnerability. Nullsoft has posted fixed version of WinAmp 2.81 and 3.0 on their web site."

8 of 498 comments (clear)

  1. Buffer overflow yet again by graikor · · Score: 5, Interesting

    Why hasn't Microsoft just changed the way it handles buffers to eliminate the weekly discovery of yet another buffer overflow exploit that compromises security? It's obvious to just about everyone else that any buffer that doesn't ignore excessive input will be a problem in the future - why does Microsoft insist on treating each one of these issues as though it was a totally new problem instead of making a global change to secure the OS from this kind of hack?

    1. Re:Buffer overflow yet again by __aanonl8035 · · Score: 5, Interesting

      I just wanted to point people to
      a project that tries to catch buffer
      overflows under linux.

      freshmeat entry
      homepage

  2. So click the update button by AKnightCowboy · · Score: 4, Interesting

    Click the Windows Update button and reboot and you're fixed. Or if you're like many people, the fix has already installed during an automatic update check last night. This isn't really news unless Slashdot is merging with Bugtraq (Slashtraq? Bugdot?). Are we just posting this to bash Microsoft once again? Automatic updates were one of the best new features they added to Windows and they make life much easier. Oh and no, I don't wrap tinfoil around my head worrying whether Microsoft is going to invade my PC and lock me out of it.

  3. Versions?? by bconway · · Score: 5, Interesting

    Nullsoft has posted fixed version of WinAmp 2.81 and 3.0 on their web site."

    Is there a reason they haven't released a new version with the bugfix instead of just uploading a new copy with the _same release number and date_? Both versions are listed as released in early or middle August, and there's no bugfixes listed anywhere on the site in regards to this. Site. Are they trying to hide that it's been fixed, or just don't want anyone to figure it out?

    --
    Interested in open source engine management for your Subaru?
  4. WILL affect most people by gosand · · Score: 5, Interesting
    This is more of a curiosity than any sort of danger. Most of us, when we get a new mp3 file, give it a listen to make sure it's not mislabeled, doesn't cut off in the middle of the song, and sounds okay. We throw out or fix the ones that aren't up to our standards. So the number of people who would let one of these dangerous mp3s just sit there and be scanned is probably pretty small. And as is usually the case when something like this is discovered, they probably deserve what they get for being such idiots.

    I don't think so. I know people who download a lot of stuff, and if you have it set up to download 100 MP3s overnight, your system could be compromised by morning. Are you going to listen to those 100 MP3s first thing in the morning?

    The kicker is that the odds you get compromised go up greatly if someone seeds Kazaa, or even a web page, with an infected MP3 file. They can see who is downloading it so they know the IP to attack. On a web page, they could get your IP out of the logs. I never thought an MP3 file would leave a system vulnerable, but I guess that is why this is a pretty scary vulnerability - nobody else would either.

    --

    My beliefs do not require that you agree with them.

  5. The Next Nimda. by Deathlizard · · Score: 4, Interesting

    And I thought Nimda was bad.

    When all of the college students here on campus had read/write shares on the network, Nimda Spread at an alarming rate, Especially since WinXP Home decided that you SHOULD have your Shared Documents folder open for read/write access after running one of those networking wizards.

    I could only imagine the hell a Modified Nimda would be if it can now infect mp3 files. It wouldn't even have to spread infected .eml files anymore. you would just see a new MP3 in your read/write network share with thousands of other MP3's so you would never find it and it would infect all of your MP3's in your read/write network share. Once you open the folder to pick a song it runs and infects all of your mp3's on the PC, then goes out and proceeds to infect every mp3 it can write to on the network that has read/write shares and the process starts all over again while it formats your hard drive 7 days later.

    It's the RIAA Dream come true :P

    --
    In Soviet Russia, Trojan exploits YOU!
  6. Question for slashdot by Raul654 · · Score: 5, Interesting

    My advisor, DL Mills (the guy who invented NTP), said something a while back which this article somewhat reminds me of. He said that back in the day, people wrote operating systems in assembly. But the thing is, they just got way too f****** big and couldn't be maintained, even with the best of care. He said that today's operating systems are getting to that point as well, and maybe it's time for a new level of abstraction. Stuff like exception handling (amoung which automated buffer checking should be one), garbage collection, etc, should be built into the language, and leave the programmer to concentrate on more important things.

    So my question is, does anyone have any idea what this "new level of abstraction" might be?

    --


    To make laws that man cannot, and will not obey, serves to bring all law into contempt.
    --E.C. Stanton
    1. Re:Question for slashdot by frank_adrian314159 · · Score: 4, Interesting
      does anyone have any idea what this "new level of abstraction" might be?

      Lisp.

      There's even been an OS built in the language. Seemed to work just fine. Problem was, that in those days, you needed special purpose hardware to run a Lisp-based OS on. You don't anymore, but the code has been lost to people who could do something useful with it in the mist of time and bankruptcy. Google for Genera and OpenGenera. Hint - once the base code is built into the system, you cannot have buffer overflows, uncaught exceptions, or uncaught arithmetic overflows. It's a good environment (as I can attest, having it running on my Symbolics Lisp Machine at home).

      Oh yeah, they have a great OO database, decent graphics, and all of the web crap you'll ever need, too.

      --
      That is all.