Slashdot Mirror
WinAmp Security Hole Discovered, Patched
Sbarbero writes "According to Techworld.com, a significant security hole has been discovered in NullSoft's WinAmp, meaning everyone should upgrade to the 5.03 version the makers have just put out right now. Security company NGS has found that the exploit 'can be activated remotely simply by rendering a specially crafted html document' and will run arbitrary code - they have a full advisory on their site." Oddly enough, the vulnerability is in the playback for the classic .XM 'tracker' music format.
I see nullsoft have also used this opportunity to force all us old Winamp 2.9 users to upgrade to the bloated POS Winamp 5 player.
Some of us just want an MP3 player - we don't need cpu-hogging visualisations, 100s of "cool" skins, or any of the rest of it.
Time to give some of the other players a try, methinks...
</rant>
I haven't used WinAmp in quite a while, so I can't remember. Does WinAmp allow dynamic loading of embedded content, as in: you play a song, which has an embedded script that opens an html document for you? I seem to remember one of the players doing this. I'm pretty sure Windows Media Player does this. If WinAmp does, it would make the problem much more dangerous.
Slashdot Syndrome: the sudden, extreme urge to correct someone in order to validate one's self.
Here's an idea to keep yourself free from these type of third party software security issues.
.XM files?) So, go to command prompt (or your favourite association editor) and type ASSOC and change the association of .XM files.. Pretty simple.. In fact, change all associations except .WAV, .MP3 and .MPEG (or whatever video/audio formats you prefer), that deal with Winamp.
Don't have it automatically load at boot. Simple! Next, change your association's to only load the files you want (for example, I don't know _anyone_ that uses Winamp for more then video playing and mp3's, what's with the
Another way to change file associations is to go into Explorer, "Tools" pull down menu, select "Folder Options", click the tab "File Types" and you can delete them from here.
Now this solves the loading problem, if it loads only when you click on your MP3 you don't have to worry about it leaving open ports (this goes for any third party software you don't need running all the time..). Not only will this prevent this sort of attack, but you'll get some freed resources, and a faster boot time, 'to boot'!..
Mod +5 Drunk
Yes, it affects it. Yes you can fix it by following the instructions in the linked story:
If for some reason it is impossible to download the updated version of Winamp, the vendor has informed NGSS that it is possible to disable the handling of Fasttracker 2 module files by taking the following steps:
1. Right click the Winamp player, go to 'Options' and then to 'Preferences...'.
2. In the new window which loads, go to 'Plug-ins' and 'Input'.
3. Look for the input plug-in items 'Nullsoft Module Decoder' and double click it to bring up the 'Nullsoft Module Decoder Preferences' window.
4. Select the 'Fasttracker 2' loader and deselect the 'Enabled' checkbox to the right of the loaders list.
5. Close all of the option windows and return to the main player.
Lots of petrified grits
The core Foobar2000 is quite slim and....
you can choose to download and install the open source components (official or third parties) that you want....
this is customization as it should be.
No it isn't. Normal practice is to mod you up to 5 (especially if you claim you'll be modded down). I don't know if it was intentional in your case, but it's oldest karma whore tactic in the book.
Anyway, I for one have long given up criticizing the slashdot editors. They just don't care.
Spyware and bloat???
Winamp certianly does not have spyware included in it! Real, MusicMatch and others may, but winamp has a very clean reputation. Since they're owned by AOL, an AOL icon is placed on your desktop (although the last time I used it, the installer actually PROMPTED you if you wanted it there!).
Winamp had bloat problems with version 3. It sucked. Everyone who's involved with winamp, even the developers, acknowledge this. Winamp 5 is MUCH better. With 'new' skins enabled, it takes up slightly more than winamp 2 (which didn't support 'new skins). Disabling the skins results in winamp 5 occupying LESS ram than winamp 2. This is quite an accomplishment, as winamp 2 has been around for many years. Any modern windows PC should be able to run it without a problem. Very few programs can make this claim any more.
If your computer can't spare the 5mb or so that winamp5 takes up, you need to consider an upgrade!
-- If you try to fail and succeed, which have you done? - Uli's moose
Or am I missing something?
IE probably.
Actually I think the fellows who made XMMS wanted a Linux version of Winamp... in fact XMMS skins are the same format as the old winamp skins.
Yes. Winamp was out before XMMS. Actually, XMMS used to be called X11Amp, which was when I first tried it.
Let me tell you, when X11Amp first came out, it wasn't even close to the quality and features that Winamp had. It was the best thing around for Unix MP3 playback though, and it's improved and matured greatly since then.
What winning argument do I use to say "use WinAmp instead of..." to Windows users who ask?
:)
It really whips the llama's ass!