Slashdot Mirror

← Back to Stories (view on slashdot.org)

WinAmp Security Hole Discovered, Patched

Posted by simoniker on from the cha-cha-oops dept.

Sbarbero writes "According to Techworld.com, a significant security hole has been discovered in NullSoft's WinAmp, meaning everyone should upgrade to the 5.03 version the makers have just put out right now. Security company NGS has found that the exploit 'can be activated remotely simply by rendering a specially crafted html document' and will run arbitrary code - they have a full advisory on their site." Oddly enough, the vulnerability is in the playback for the classic .XM 'tracker' music format.

14 of 393 comments (clear)

  1. Re:Aha! by Anonymous Coward · · Score: 5, Informative
    Umm, no. From the advisory:

    Systems Affected: Nullsoft Winamp versions 2.91 to 5.02 (possibly older versions, although this is not confirmed)

  2. Re:Where's my patched 2.9x? by The+Human+Cow · · Score: 5, Informative

    Last time I checked, Winamp 5 used much the same amount of system resources as Winamp 2.
    Winamp 3, on the other hand, is a whole different ball game.

    --
    The Human Cow - bringing you scrumtrelescence since 1995
  3. Re:Where's my patched 2.9x? by Eponymous+Cowboy · · Score: 5, Informative

    Just do what I did, on 2.80:

    Delete in_mod.dll from the "Plugins" directory.

    Hole: Patched.

    Who uses MOD/XM files anymore anyways?

    --
    It's hard for thee to kick against the pricks.
  4. Upgrade to foobar instead. by eddy · · Score: 4, Informative

    You can always upgrade to http://www.foobar2000.org/ instead. No more nonstandard interface, a decent mass-tagger, excellent replay-gain support, etc. What's not to like?

    --
    Belief is the currency of delusion.
  5. Re:Er... by TheFlyingGoat · · Score: 5, Informative

    It doesn't just affect people who use the minibrowser. If you have Winamp set up as the default program for xm files, you're vulnerable. All someone would have to do is redirect the web page to a malformed page that sends a Content-Type: audio/xm (or whatever) header. This would execute Winamp, attempt to load the location, and cause problems.

    --
    You have enemies? Good. That means you've stood up for something, sometime in your life. --Winston Churchill
  6. wrong. by honold · · Score: 5, Informative

    winamp3 was the bloated piece of crap. winamp5 is not a bloated piece of crap. they dropped wasabi. please check your facts before making posts.

  7. Why are you using Winamp to play XM's anyway? by spyrochaete · · Score: 5, Informative

    Since version 2, Winamp has been notorious for playing MOD, XM, S3M, and related files inaccurately. It fudges up a lot of the effects, particularly portamento (note slide) and key-off commands. You all should be using ModPlug Player to play these formats! It ain't perfect but it's the best Windows player there is.

    Why get this player? So that you can drink deeply from the cup of BBS\Internet history! Check out some MOD sites and dig some chippy goodness!

    SHAMELESS PLUG -- Be sure to scope out my MODs as well!

  8. No upgrade required by Anonymous Coward · · Score: 5, Informative

    If for some reason it is impossible to download the updated version of
    Winamp, the vendor has informed NGSS that it is possible to disable the
    handling of Fasttracker 2 module files by taking the following steps:

    1. Right click the Winamp player, go to 'Options' and then to
    'Preferences...'.

    2. In the new window which loads, go to 'Plug-ins' and 'Input'.

    3. Look for the input plug-in items 'Nullsoft Module Decoder' and double
    click it to bring up the 'Nullsoft Module Decoder Preferences' window.

    4. Select the 'Fasttracker 2' loader and deselect the 'Enabled' checkbox to
    the right of the loaders list.

    5. Close all of the option windows and return to the main player.

  9. Re:xm? by understyled · · Score: 5, Informative

    back before mp3 was an option MODs were the shit. XM in particular had numerous things going for the format, including a nicely designed tracker (Fasttracker 2). I was into modding and tracking myself, but i stuck to Impulse Tracker. both programs are quite similar.. but to answer your question, is this a widely used format? it was. the digital music archive has numerous xm songs, if you're an unbeliever. i'm sure google has something to say about XM too.

    --
    Sig (appended to the end of comments you post, 120 chars)
  10. Re:What I think everyone wants to know is... by stefanlasiewski · · Score: 4, Informative

    Yes, According to the notice:


    Systems Affected: Nullsoft Winamp versions 2.91 to 5.02 (possibly older versions, although this is not confirmed)

    --
    "Can of worms? The can is open... the worms are everywhere."
  11. Re:Where's my patched 2.9x? by F452 · · Score: 5, Informative

    Or you can follow the instructions at http://www.nextgenss.com/advisories/winampheap.txt to disable xm at a lower layer. (This is from a link from the techworld article.)

  12. More than a security fix by superyooser · · Score: 4, Informative
    Many small bug fixes and improvements are included in this new version (5.03) just from 5.02. Also interesting is that they removed AOD (those annoying AOL On Desktop links) from the installer.
    * fixed a crash bug when playing some AVI files in in_dshow
    * added multimedia keyboard keys in global hotkeys default configuration
    * added "Manual playlist advance" in Repeat button popup menu in Classic mode
    * improvements in MP3 encoder configuration (added --alt-preset standard, etc...)
    * made the tabs in the preferences XP correctly themed under Windows XP
    * revamped the Media Library preferences a bit
    * new experimental WMA9 input plugin
    * gen_jumpex updates from DrO
    * added "Nuke library" action in Media Library
    * more upside down videos fixes
    * fixed crash if a plugin generated a pledit wm_windowposchanged on shutdown
    * fixed crash exploit in in_mod (thanks Peter Winter-Smith)
    * fixed various crashes in in_midi when playing invalid files
    * made in_midi store its settings in winamp.ini instead of the registry
    * fixed error during installation on computers with chinese/oriental regional settings
    * removed AOD from installer
    * added Shift-R to toggle manual playlist advance
    * updated VP6 video decoder to latest VP6.2 code
    * fixed crash when launching winamp with very long filenames from explorer
    * made registration dialog to appear in Explorer's taskbar when installing pro version
    * fixed pledit/video windows showing up at startup when minimized
    * modern skins updates :
    - winamp modern skin now uses a 3 state repeat button: no repeat/repeat all/repeat track
    - added appplication desktop toolbars capabilities for layouts, add appbar="left|top|right|bottom" to
    use them
    - upped maki binary version, improved stack protection
    - current skin version number is 1.2 (this should not change for a long while now, and of course we continue
    to support 0.8 to 1.1)
    - (very) limited maki debugger (for now you can bring it up with invokeDebugger(); in a script then use 'x'
    - to continue and 'i' to trace into)
    - fixed obscure capture problem with dragging windows
    - fixed rectrgn being forced to 1 in xml xuiobject buttons that are originally imageless
    - fixed hilited state not on after clicking on buttons while the mouse stays in area
    - fixed scripted onEnterArea/onLeaveArea not being always correctly called while mouse button stays down
    - fixed getToken being passed NULL throwing guru
    - fixed clipping of painting within the background's region of a group rather than within the composed
    region (the one you can change with sysregion)
    - fixed image cache problem when using the same bitmap as a map and a button image parameter
  13. Fix for winamp 2.91 by C32 · · Score: 4, Informative

    Just do a minimal install of 5.03 (without letting it integrate into the shell, etc) and copy the new in_mod.dll from /winamp5dir/plugins to /winamp2.91/plugins..

    While you're at it; all the new and updated input plugins (in_mp3, in_midi, etc) seem to work just fine in 2.91.

  14. Re:Aha! by JofCoRe · · Score: 4, Informative

    Holy shit! Here's a reason not to upgrade:

    in requirements:
    500MHz Pentium III or comparable

    One of the systems that I use winamp on is a Pentium-133 laptop that sits on my entertainment center and plays mp3's thru my stereo.

    Why does it take a PIII-500 to play mp3's? It seems to be working fine on the p133 right now. Seems to me like too much extra bloat...

    --

    Place sig here.