WinAmp Security Hole Discovered, Patched

Sbarbero writes "According to Techworld.com, a significant security hole has been discovered in NullSoft's WinAmp, meaning everyone should upgrade to the 5.03 version the makers have just put out right now. Security company NGS has found that the exploit 'can be activated remotely simply by rendering a specially crafted html document' and will run arbitrary code - they have a full advisory on their site." Oddly enough, the vulnerability is in the playback for the classic .XM 'tracker' music format.

Er...

[James+A.+M.+Joyce]

"activated remotely simply by rendering a specially crafted html document" Wouldn't that only make it a problem for those people who actually use the Winamp minibrowser? (I.E., very few people?)

What I think everyone wants to know is...

[Bytal]

whether this affects the old 2.x series?

Upgrade to version 1.45

[AtariAmarok]

I'm still using version 1.45. Free of the spyware and bloat which has come to plague Winamp, and I'm pretty sure it is free of the trojan-type "features" that this story is about.

Re:Where's my patched 2.9x?

[CaptainBaz]

Not for me. The "Load file" dialogue that pops up when you click the "eject" button takes about 10 times longer to appear under Winamp 5. And since that's one of the only two buttons I ever click (the other being play/pause), I've always preferred 2.9x.

I'm prepared to accept that Winamp 3 was even worse though :-)

WinAmp Use

[Eberlin]

Is WinAmp the free multimedia player of choice for Windows users? I know we've always talked about how Windows Media Player is eeeevil and RealPlayer is spyware. Where does WinAmp kick in? Does it do video or is it just a music thing? (like a free alternative to MusicMatch Jukebox or whatnot) It has been ages since I've follwed up (as a Linuxer I go between noatun and xmms)

Basically, I guess the question is how to make a strong case for WinAmp use. I already sing the praises of Firefox and recommend OpenOffice to folks who don't want/can't shell out $$ for MS Office. I recommend AVG as a free virus-scanner. Same with ZoneAlarm, Spybot S&D, and Ad-Aware. What winning argument do I use to say "use WinAmp instead of..." to Windows users who ask?

Re:WinAmp Use

[DarkkOne]

Most people who use winamp use it primarily for MP3s. I honestly can't suggest it for video playback. It's never worked well for me.

What I will suggest for media playback in general is "Media Player Classic" available at sourceforge. I don't know what the general consensus is here, but for me, it has done what I've asked it to do, and that's good enough for me.

Re:WinAmp Use

[crabpeople]

the one great use that IMHO beats hands down any other media player, is the use of Hotkeys in winamp 5. with this turned on (not on by default) you have a whole range of keyboard shortcuts that can be used to control winamp.

some ones i use every day are CTRL + ALT + PG DOWN to forward the track, CTRL + ALT + Down Arrow , to lower volume for when phone rings and CTRL + ALT + Insert to restart a track. there are many others to do basically any function. you can change them to whatever you want as well. Primarily i would use these when im in a fullscreen game as before i would have to alt + tab out to change the track (very annoying)

better off using media player classic (my favourite distro is something called the ACE mega codec pack{large DL like 40-50megs}, i have yet to find something it cant play).

basically, its free, its light (680k download 1.5mb install) highly configurable, plays every audio file imagineable, built in crossfader and hotkeys, and is the most popular user driven project in the windows world (IMHO). I say that because most plugins are made by users, and although i havent actually made one, i could imagine it being easy as there are over 30k of them.

Wow

[GarfBond]

I can't believe people are actually complaining about winamp bloat. Winamp has been one of the better examples of not-bloat. Sure, 5 is worse than 2, but it's better than 3, and much of the CPU-hogging goes away when you go back to classic skins. For me, the enqueue function makes it well worth it.

I think the only way you can get less bloated is if you used something like mpg123. XMMS is a winamp-clone on linux anyway.

Mikamp module

[execom]

If I remember, Winamp uses a modified version of Mikmod, a well known module player, which is also available in some Linux distro.

Will this bug be updated in mikmod as well ?

I hope that one day, Winamp will drop Mikamp and use Modplug instead, which sources has been released and it the best player on Win32 (mikmod sounds horrible on Windows, and is buggy).

Also modplug plays more formats and is better, although is win32 only;

Re:wrong.

[phoenix.bam!]

I wish people bothered to actually learn what Wasabi is. Winamp3 used Wasabi to showcase the technology. It is a scripting language that can do anything (IE: be an mp3 player.) Winamp5 incorporates Wasabi, but it does not run on it. (Winamp5 is ACTUALLY the next version of Winamp2, with parts from Winamp3, hence 2+3=5)

Re:Upgrade to foobar instead.

Peter has worked on various Winamp input plugins for years. Chances are that this bug can be found in foobar2000 as well.

Re:Aha!

[FreeForm+Response]

All I want it to do is play mp3's...

foobar2000 will serve your needs well. It does everything you could possibly want to do within the realm of playing music, and virtually nothing else. Low memory footprint/CPU requirements, simple and functional GUI (without fancy skins), and very powerful. Check it out.

Re:Where's my patched 2.9x?

[toddestan]

I just tried that with the classic skin, and he's right. The first time took several seconds, but after that it's fast (once Winamp has cached the directory contents I assume). I've never noticed because I always use the 'Insert' key. (load entire directory at once)