WinAmp Security Hole Discovered, Patched

Sbarbero writes "According to Techworld.com, a significant security hole has been discovered in NullSoft's WinAmp, meaning everyone should upgrade to the 5.03 version the makers have just put out right now. Security company NGS has found that the exploit 'can be activated remotely simply by rendering a specially crafted html document' and will run arbitrary code - they have a full advisory on their site." Oddly enough, the vulnerability is in the playback for the classic .XM 'tracker' music format.

Re:Aha!

[the_skywise]

But the press release says it affects ALL versions of WinAmp.

Re:Aha!

Umm, no. From the advisory:

Systems Affected: Nullsoft Winamp versions 2.91 to 5.02 (possibly older versions, although this is not confirmed)

Re:Where's my patched 2.9x?

[The+Human+Cow]

Last time I checked, Winamp 5 used much the same amount of system resources as Winamp 2.
Winamp 3, on the other hand, is a whole different ball game.

Re:Where's my patched 2.9x?

[Eponymous+Cowboy]

Just do what I did, on 2.80:

Delete in_mod.dll from the "Plugins" directory.

Hole: Patched.

Who uses MOD/XM files anymore anyways?

Re:Where's my patched 2.9x?

[OglinTatas]

I use Irfanview with the "all pluggins" patch to play MP3 files and streams. Great light footprint media player and image viewer.

Upgrade to foobar instead.

[eddy]

You can always upgrade to http://www.foobar2000.org/ instead. No more nonstandard interface, a decent mass-tagger, excellent replay-gain support, etc. What's not to like?

Re:Upgrade to foobar instead.

[Vaevictis666]

No media library.

Sure there is - From the Foobar2000-> Preferences menu, select Database, and ensure that your mp3 dir is listed in the "Restrict Directories to" box. If you only want specific file types rather than anything foobar can play, restrict file types to *.mp3;*.ogg for example.

Now hit the Scan button and wait a few.

Next up is Components->Album List. Boom boom there ya go. As you add new mp3s to your playlist, if they are in your previously mentioned directories, they will be auto-added to the album list.

If you want to do different kinds of filters, it's fully configurable in the preferences screen, Components\Album List - you'll probably want to pop up the help file to figure out all the %variables% and $functions. Easiest method is Display\Title Formatting, click the help button. Once you get the hang of the variable replacement, it's actually really really easy to add new filters. (Disclaimer: I Am A Coder, so that does come fairly naturally to me)

And yes, just about everything in foobar2000 is as configurable as that, from track list formatting, to right-click menu, to window menu entries... and I hear that stock it runs pretty well under Wine (a few incompatabilities with some plugins)

Re:Upgrade to foobar instead.

[Fweeky]

The interface is endlessly customizable, from fonts, colours, format scripts etc, all the way up to entirely different column-based and skinnable replacements. The mass-tagger's never failed me, and frankly blows the likes of Tag & Rename out of the water with it's format-agnostic approach.

WinAmp has plenty not to like about it.. it's just those things tend to be more oriented around it's awful skins and lack of support for all sorts of things I use daily, like playing cuesheets without broken and hacked together plugins and bundled support for any format I'm ever likely to encounter with a footprint that puts WinAmp to shame.

Re:Er...

You can .XM files into a HTML document and if WinAmp is set as the handler for that MIME type, it will probably automatically launch it (or something).

Re:Er...

[TheFlyingGoat]

It doesn't just affect people who use the minibrowser. If you have Winamp set up as the default program for xm files, you're vulnerable. All someone would have to do is redirect the web page to a malformed page that sends a Content-Type: audio/xm (or whatever) header. This would execute Winamp, attempt to load the location, and cause problems.

wrong.

[honold]

winamp3 was the bloated piece of crap. winamp5 is not a bloated piece of crap. they dropped wasabi. please check your facts before making posts.

Re:wrong.

[default+luser]

No, the sound quality went to hell after version 2.22 because they dropped the Fraunhofer codec. I believe it was because Fraunhofer was raising ( or enforcing?) licenses on their suddenly valuable IP.

They ended up making a replacement codec in-house. A lot of people initially complained about the sound quality, but they improved it with every release, and supposedly since 2.666 the rendering bugs have been removed. It sounds great, and performs well.

Re:wrong.

[ishamael69]

Here you go.

Re:wrong.

[LucidityZero]

Recommended system requirements

* 1.5 GHz Pentium IV or comparable
* 128MB RAM
* 30MB Hard Disk Space
* 32bit Sound Card
* Windows 2000, Windows XP
* 8x speed or greater CD Burner (Required for Burning)
* 16x speed or greater CDROM (Required for Ripping)

And it's not bloated?

Re:Where's my patched 2.9x?

You are probably not using the Classic skin then. I had the new modern skin turned on and it's a real pig. Go back to the Classic skin though and Winamp5 becomes the same as Winamp2

I was wondering when it would happen.

[Phybersyk0]

I used to track mods on the Amiga (protracker) and PC (Fast Tracker2). It was a fairly common occurence for people to load text/image files into songs as a playable instrument within a music module. You could then transfer the module (which contains both the instrument samples & the pointers to the coded music (it's all addressed through HEX!)) and then extract the datafile (save instrument as...) then view it in your favorite image viewer or text editor....

FYI:
Data files as instruments do not really sound as cool as you'd think though. If the file has header info, that's where you'd find the most variety and interesting sounds...

Re:xm?

check out the "modarchive". it's widely used, but mostly in game software or by Amiga fetishists.

Why are you using Winamp to play XM's anyway?

[spyrochaete]

Since version 2, Winamp has been notorious for playing MOD, XM, S3M, and related files inaccurately. It fudges up a lot of the effects, particularly portamento (note slide) and key-off commands. You all should be using ModPlug Player to play these formats! It ain't perfect but it's the best Windows player there is.

Why get this player? So that you can drink deeply from the cup of BBS\Internet history! Check out some MOD sites and dig some chippy goodness!

SHAMELESS PLUG -- Be sure to scope out my MODs as well!

No upgrade required

If for some reason it is impossible to download the updated version of
Winamp, the vendor has informed NGSS that it is possible to disable the
handling of Fasttracker 2 module files by taking the following steps:

1. Right click the Winamp player, go to 'Options' and then to
'Preferences...'.

2. In the new window which loads, go to 'Plug-ins' and 'Input'.

3. Look for the input plug-in items 'Nullsoft Module Decoder' and double
click it to bring up the 'Nullsoft Module Decoder Preferences' window.

4. Select the 'Fasttracker 2' loader and deselect the 'Enabled' checkbox to
the right of the loaders list.

5. Close all of the option windows and return to the main player.

Re:xm?

[understyled]

back before mp3 was an option MODs were the shit. XM in particular had numerous things going for the format, including a nicely designed tracker (Fasttracker 2). I was into modding and tracking myself, but i stuck to Impulse Tracker. both programs are quite similar.. but to answer your question, is this a widely used format? it was. the digital music archive has numerous xm songs, if you're an unbeliever. i'm sure google has something to say about XM too.

Re:What I think everyone wants to know is...

[stefanlasiewski]

Yes, According to the notice:


Systems Affected: Nullsoft Winamp versions 2.91 to 5.02 (possibly older versions, although this is not confirmed)

Re:Where's my patched 2.9x?

[F452]

Or you can follow the instructions at http://www.nextgenss.com/advisories/winampheap.txt to disable xm at a lower layer. (This is from a link from the techworld article.)

Re:Where's my patched 2.9x?

I do!! There are some very talented artists out there. Some songs you might try to find (at the Mod archive perhaps):

Knulla Kuk by Moby (the original Moby!)

Space Debris by Captain

Variations by Jogeir Liljedahl

Capslock by Mick Rippon

Jaunt by Wolfsong

These are just a few of many high-quality tracks that are out there. It's worth giving some a listen sometime!

More than a security fix

[superyooser]

Many small bug fixes and improvements are included in this new version (5.03) just from 5.02. Also interesting is that they removed AOD (those annoying AOL On Desktop links) from the installer.

* fixed a crash bug when playing some AVI files in in_dshow
* added multimedia keyboard keys in global hotkeys default configuration
* added "Manual playlist advance" in Repeat button popup menu in Classic mode
* improvements in MP3 encoder configuration (added --alt-preset standard, etc...)
* made the tabs in the preferences XP correctly themed under Windows XP
* revamped the Media Library preferences a bit
* new experimental WMA9 input plugin
* gen_jumpex updates from DrO
* added "Nuke library" action in Media Library
* more upside down videos fixes
* fixed crash if a plugin generated a pledit wm_windowposchanged on shutdown
* fixed crash exploit in in_mod (thanks Peter Winter-Smith)
* fixed various crashes in in_midi when playing invalid files
* made in_midi store its settings in winamp.ini instead of the registry
* fixed error during installation on computers with chinese/oriental regional settings
* removed AOD from installer
* added Shift-R to toggle manual playlist advance
* updated VP6 video decoder to latest VP6.2 code
* fixed crash when launching winamp with very long filenames from explorer
* made registration dialog to appear in Explorer's taskbar when installing pro version
* fixed pledit/video windows showing up at startup when minimized
* modern skins updates :
- winamp modern skin now uses a 3 state repeat button: no repeat/repeat all/repeat track
- added appplication desktop toolbars capabilities for layouts, add appbar="left|top|right|bottom" to
use them
- upped maki binary version, improved stack protection
- current skin version number is 1.2 (this should not change for a long while now, and of course we continue
to support 0.8 to 1.1)
- (very) limited maki debugger (for now you can bring it up with invokeDebugger(); in a script then use 'x'
- to continue and 'i' to trace into)
- fixed obscure capture problem with dragging windows
- fixed rectrgn being forced to 1 in xml xuiobject buttons that are originally imageless
- fixed hilited state not on after clicking on buttons while the mouse stays in area
- fixed scripted onEnterArea/onLeaveArea not being always correctly called while mouse button stays down
- fixed getToken being passed NULL throwing guru
- fixed clipping of painting within the background's region of a group rather than within the composed
region (the one you can change with sysregion)
- fixed image cache problem when using the same bitmap as a map and a button image parameter

Fix for winamp 2.91

[C32]

Just do a minimal install of 5.03 (without letting it integrate into the shell, etc) and copy the new in_mod.dll from /winamp5dir/plugins to /winamp2.91/plugins..

While you're at it; all the new and updated input plugins (in_mp3, in_midi, etc) seem to work just fine in 2.91.

Re:WinAmp Use

[BFaucet]

Winamp is pretty much XMMS... It does video to.

I recommend it as an audio player, but I like Media Player Classic for video.

history of Winamp:
http://www.time.com/time/digital/reports/ mp3/frank el1.html

Actually I think the fellows who made XMMS wanted a Linux version of Winamp... in fact XMMS skins are the same format as the old winamp skins.

Anyway... I like it well enough... I think it's suffered from bloat since Frankel sold NullSoft to AOL, but it's all good.

Get Winamp 2.X if you want just a good audio player.

Don't get Winamp 3 as it sucks memory like mad and has no real benefits.

Winamp 4 doesn't exist.

Winamp 5 is kinda like what Winamp 3 was supposed to be. It supports the pretty (and useless IMHO) new skins and is also very stable. It also has very nice internet TV video streaming. I run Winamp 5 because I have a Gig of memory and am not bothered by its 10-20 meg footprint.

There are also a whole heck of a lot of plugins for winamp to do various things like controlling it via remote control, ripping audio streams off the web and even have a little character dance on the screen.

Windows itself costs

[tepples]

last time I checked WMP didn't cost anything either.

Any program distributed only with Microsoft Windows costs 150 USD or so for a Windows XP Pro OEM license. So does any Win32 program designed to bail if it detects Wine.

Re:Where's my patched 2.9x?

[edwdig]

Who uses MOD/XM files anymore anyways?

For starters, most GameBoy Advance music is composed in those formats.

Re:Aha!

[JofCoRe]

Holy shit! Here's a reason not to upgrade:

in requirements:
500MHz Pentium III or comparable

One of the systems that I use winamp on is a Pentium-133 laptop that sits on my entertainment center and plays mp3's thru my stereo.

Why does it take a PIII-500 to play mp3's? It seems to be working fine on the p133 right now. Seems to me like too much extra bloat...

Fresh from the llama's ass

[t0qer]

This quality karma whoring brought to you by toqerTV

Hot off #nullsoft

i don't even think the exploit is in our code
ron, is the exploit in the decoder?
isn't it in mikmod
When is the Mac version of this exploit coming out?
I am so tired of waiting.
hehe
i don't think we even wrote that xm decoder
*** Quit: statsbot (Ping timeout: 180 seconds)
*** Join: DrunkenMaster (DM@adsl-66-159-200-78.dslextreme.com)
`steev: the exploit was in the mikmod library that's used by in_mod for xm decoding
so its not even our code heh
yeah
there you go
it's not even our fault the exploit exists

So this isn't even a winamp bug, it's a mikmod bug.

Re:Mikamp module

[Stephen+Williams]

Also modplug plays more formats and is better, although is win32 only

There's a port to XMMS. Works for me.

-Stephen

You want 2.81?

[Ayanami+Rei]

http://download.nullsoft.com/winamp/client/winamp2 81_full.exe

At least they still host it. (you can also s/full/lite in the URL)

Re:You want 2.81?

[toddestan]

There is also a mostly complete list of old Winamp versions at www.oldversion.com for anyone who is interested.

Link.

Re:Where's my patched 2.9x?

Don't ever worry about individual Winamp plugins. They are self-contained and can be moved around at will. With the "in_***.dll" plugins, all that happens when you move them out is that you can't play the file types that they support. Move them back in, and you can play them again. Easy.

Just pull it out of your plugins folder and store it where you can find it, rather than renaming it. Just make a Winamp\Disabled directory, for instance.

Re:Where's my patched 2.9x?

[Elfan]

Supported input formats:

* MPEG-4 AAC
* MP3
* MP2
* Musepack
* Ogg Vorbis
* WAV
* AIFF
* VOC
* AU
* SND
* CDDA
* FLAC
* Monkey's Audio
* WavPack
* Speex
* Mod
* SPC
* TFMX
* Shorten
* OptimFROG
* LPAC
* WMA
* AC3
* PSF
* NSF
* SID
* XA
* Matroska

picky picky... ;-)

I don't expect one program to do everything (well unless its EMACS). But you are right that there are some audio formats that still need work. However, for most users (most of their audio is in mp3 or some ogg) I think foobar2000 is already better than winamp.

Warning!! Win32 Version is not Stable!

[Dolemite_the_Wiz]

This new version crashes hard (drwatson) after adding songs from a directory and then trying to play them in WinAmp.

Vulnerablity or not, I'm going back to the old version.

Dolemite
__________________________

Re:Where's my patched 2.9x?

Nope, removing it from the file types menu won't work. The IN_MOD.DLL plugin will recognize .XM files automatically even if they have a different extension. So anyone who wants to exploit this hole just creates a .XM file and renames it .MP3. That's the best way for them to do it, too, since it's more likely your web browser is automatically configured to launch WinAMP for .MP3 files than it is for .XM files.