WinAmp Security Hole Discovered, Patched

Sbarbero writes "According to Techworld.com, a significant security hole has been discovered in NullSoft's WinAmp, meaning everyone should upgrade to the 5.03 version the makers have just put out right now. Security company NGS has found that the exploit 'can be activated remotely simply by rendering a specially crafted html document' and will run arbitrary code - they have a full advisory on their site." Oddly enough, the vulnerability is in the playback for the classic .XM 'tracker' music format.

Er...

[James+A.+M.+Joyce]

"activated remotely simply by rendering a specially crafted html document" Wouldn't that only make it a problem for those people who actually use the Winamp minibrowser? (I.E., very few people?)

Re:Er...

[Doesn't_Comment_Code]

I haven't used WinAmp in quite a while, so I can't remember. Does WinAmp allow dynamic loading of embedded content, as in: you play a song, which has an embedded script that opens an html document for you? I seem to remember one of the players doing this. I'm pretty sure Windows Media Player does this. If WinAmp does, it would make the problem much more dangerous.

Re:Er...

You can .XM files into a HTML document and if WinAmp is set as the handler for that MIME type, it will probably automatically launch it (or something).

Re:Er...

[TheFlyingGoat]

It doesn't just affect people who use the minibrowser. If you have Winamp set up as the default program for xm files, you're vulnerable. All someone would have to do is redirect the web page to a malformed page that sends a Content-Type: audio/xm (or whatever) header. This would execute Winamp, attempt to load the location, and cause problems.

Re:Er...

[los+furtive]

I doesn't matter if its the browser being used. But to answer your question , I never used the browser until they started adding streaming video to their library...now 'certain' channels bring up the browser every 60 seconds or so. But I can usually put up with it for the 5-6 minutes that I need.

Where's my patched 2.9x?

[CaptainBaz]

I see nullsoft have also used this opportunity to force all us old Winamp 2.9 users to upgrade to the bloated POS Winamp 5 player.

Some of us just want an MP3 player - we don't need cpu-hogging visualisations, 100s of "cool" skins, or any of the rest of it.

Time to give some of the other players a try, methinks...

</rant>

Re:Where's my patched 2.9x?

[The+Human+Cow]

Last time I checked, Winamp 5 used much the same amount of system resources as Winamp 2.
Winamp 3, on the other hand, is a whole different ball game.

Re:Where's my patched 2.9x?

[Eponymous+Cowboy]

Just do what I did, on 2.80:

Delete in_mod.dll from the "Plugins" directory.

Hole: Patched.

Who uses MOD/XM files anymore anyways?

Re:Where's my patched 2.9x?

[OglinTatas]

I use Irfanview with the "all pluggins" patch to play MP3 files and streams. Great light footprint media player and image viewer.

Re:Where's my patched 2.9x?

[satterth]

http://www.foobar2000.org/

Re:Where's my patched 2.9x?

[CaptainBaz]

Not for me. The "Load file" dialogue that pops up when you click the "eject" button takes about 10 times longer to appear under Winamp 5. And since that's one of the only two buttons I ever click (the other being play/pause), I've always preferred 2.9x.

I'm prepared to accept that Winamp 3 was even worse though :-)

Re:Where's my patched 2.9x?

[Doesn't_Comment_Code]

bloated POS Winamp 5 player

You know your media player is too big when all the eye candy slows your older computers to the point they can't play mp3's without choking.

Re:Where's my patched 2.9x?

You are probably not using the Classic skin then. I had the new modern skin turned on and it's a real pig. Go back to the Classic skin though and Winamp5 becomes the same as Winamp2

Re:Where's my patched 2.9x?

[F452]

Or you can follow the instructions at http://www.nextgenss.com/advisories/winampheap.txt to disable xm at a lower layer. (This is from a link from the techworld article.)

Re:Where's my patched 2.9x?

I do!! There are some very talented artists out there. Some songs you might try to find (at the Mod archive perhaps):

Knulla Kuk by Moby (the original Moby!)

Space Debris by Captain

Variations by Jogeir Liljedahl

Capslock by Mick Rippon

Jaunt by Wolfsong

These are just a few of many high-quality tracks that are out there. It's worth giving some a listen sometime!

Re:Where's my patched 2.9x?

[edwdig]

Who uses MOD/XM files anymore anyways?

For starters, most GameBoy Advance music is composed in those formats.

Re:Where's my patched 2.9x?

[toddestan]

I just tried that with the classic skin, and he's right. The first time took several seconds, but after that it's fast (once Winamp has cached the directory contents I assume). I've never noticed because I always use the 'Insert' key. (load entire directory at once)

Re:Where's my patched 2.9x?

[Elfan]

Supported input formats:

* MPEG-4 AAC
* MP3
* MP2
* Musepack
* Ogg Vorbis
* WAV
* AIFF
* VOC
* AU
* SND
* CDDA
* FLAC
* Monkey's Audio
* WavPack
* Speex
* Mod
* SPC
* TFMX
* Shorten
* OptimFROG
* LPAC
* WMA
* AC3
* PSF
* NSF
* SID
* XA
* Matroska

picky picky... ;-)

I don't expect one program to do everything (well unless its EMACS). But you are right that there are some audio formats that still need work. However, for most users (most of their audio is in mp3 or some ogg) I think foobar2000 is already better than winamp.

Re:Where's my patched 2.9x?

Nope, removing it from the file types menu won't work. The IN_MOD.DLL plugin will recognize .XM files automatically even if they have a different extension. So anyone who wants to exploit this hole just creates a .XM file and renames it .MP3. That's the best way for them to do it, too, since it's more likely your web browser is automatically configured to launch WinAMP for .MP3 files than it is for .XM files.

Re:Aha!

[the_skywise]

But the press release says it affects ALL versions of WinAmp.

Re:Aha!

Umm, no. From the advisory:

Systems Affected: Nullsoft Winamp versions 2.91 to 5.02 (possibly older versions, although this is not confirmed)

Thank goodness

[ackthpt]

Thank goodness I don't listen to music/radio on my computer. You never know where such a thing could lead to.

Hi from Napster! We've been tracking your listening habits and suggest the following music...Barry Manilow, Air Supply, Leo Sayer. If you act now and buy, we won't tell your friends or neighbors.

What I think everyone wants to know is...

[Bytal]

whether this affects the old 2.x series?

Re:What I think everyone wants to know is...

[stefanlasiewski]

Yes, According to the notice:


Systems Affected: Nullsoft Winamp versions 2.91 to 5.02 (possibly older versions, although this is not confirmed)

Re:What I think everyone wants to know is...

[guacamolefoo]

Yes, it affects it. Yes you can fix it by following the instructions in the linked story:

If for some reason it is impossible to download the updated version of Winamp, the vendor has informed NGSS that it is possible to disable the handling of Fasttracker 2 module files by taking the following steps:

1. Right click the Winamp player, go to 'Options' and then to 'Preferences...'.

2. In the new window which loads, go to 'Plug-ins' and 'Input'.

3. Look for the input plug-in items 'Nullsoft Module Decoder' and double click it to bring up the 'Nullsoft Module Decoder Preferences' window.

4. Select the 'Fasttracker 2' loader and deselect the 'Enabled' checkbox to the right of the loaders list.

5. Close all of the option windows and return to the main player.

Damnit!

[teamhasnoi]

When is the Mac version of this exploit coming out?

I am so tired of waiting.

Re:Damnit!

[blixel]

When is the Mac version of this exploit coming out?

Doesn't matter. No one will be able to afford it.

Upgrade to foobar instead.

[eddy]

You can always upgrade to http://www.foobar2000.org/ instead. No more nonstandard interface, a decent mass-tagger, excellent replay-gain support, etc. What's not to like?

Re:Upgrade to foobar instead.

[Vaevictis666]

No media library.

Sure there is - From the Foobar2000-> Preferences menu, select Database, and ensure that your mp3 dir is listed in the "Restrict Directories to" box. If you only want specific file types rather than anything foobar can play, restrict file types to *.mp3;*.ogg for example.

Now hit the Scan button and wait a few.

Next up is Components->Album List. Boom boom there ya go. As you add new mp3s to your playlist, if they are in your previously mentioned directories, they will be auto-added to the album list.

If you want to do different kinds of filters, it's fully configurable in the preferences screen, Components\Album List - you'll probably want to pop up the help file to figure out all the %variables% and $functions. Easiest method is Display\Title Formatting, click the help button. Once you get the hang of the variable replacement, it's actually really really easy to add new filters. (Disclaimer: I Am A Coder, so that does come fairly naturally to me)

And yes, just about everything in foobar2000 is as configurable as that, from track list formatting, to right-click menu, to window menu entries... and I hear that stock it runs pretty well under Wine (a few incompatabilities with some plugins)

Re:Upgrade to foobar instead.

[Fweeky]

The interface is endlessly customizable, from fonts, colours, format scripts etc, all the way up to entirely different column-based and skinnable replacements. The mass-tagger's never failed me, and frankly blows the likes of Tag & Rename out of the water with it's format-agnostic approach.

WinAmp has plenty not to like about it.. it's just those things tend to be more oriented around it's awful skins and lack of support for all sorts of things I use daily, like playing cuesheets without broken and hacked together plugins and bundled support for any format I'm ever likely to encounter with a footprint that puts WinAmp to shame.

xm?

[JaxWeb]

I've never used a Fastrack XM file in my life. Is this a widely used format?

Re:xm?

[understyled]

back before mp3 was an option MODs were the shit. XM in particular had numerous things going for the format, including a nicely designed tracker (Fasttracker 2). I was into modding and tracking myself, but i stuck to Impulse Tracker. both programs are quite similar.. but to answer your question, is this a widely used format? it was. the digital music archive has numerous xm songs, if you're an unbeliever. i'm sure google has something to say about XM too.

WinAmp Use

[Eberlin]

Is WinAmp the free multimedia player of choice for Windows users? I know we've always talked about how Windows Media Player is eeeevil and RealPlayer is spyware. Where does WinAmp kick in? Does it do video or is it just a music thing? (like a free alternative to MusicMatch Jukebox or whatnot) It has been ages since I've follwed up (as a Linuxer I go between noatun and xmms)

Basically, I guess the question is how to make a strong case for WinAmp use. I already sing the praises of Firefox and recommend OpenOffice to folks who don't want/can't shell out $$ for MS Office. I recommend AVG as a free virus-scanner. Same with ZoneAlarm, Spybot S&D, and Ad-Aware. What winning argument do I use to say "use WinAmp instead of..." to Windows users who ask?

Re:WinAmp Use

[DarkkOne]

Most people who use winamp use it primarily for MP3s. I honestly can't suggest it for video playback. It's never worked well for me.

What I will suggest for media playback in general is "Media Player Classic" available at sourceforge. I don't know what the general consensus is here, but for me, it has done what I've asked it to do, and that's good enough for me.

Re:WinAmp Use

[BFaucet]

Winamp is pretty much XMMS... It does video to.

I recommend it as an audio player, but I like Media Player Classic for video.

history of Winamp:
http://www.time.com/time/digital/reports/ mp3/frank el1.html

Actually I think the fellows who made XMMS wanted a Linux version of Winamp... in fact XMMS skins are the same format as the old winamp skins.

Anyway... I like it well enough... I think it's suffered from bloat since Frankel sold NullSoft to AOL, but it's all good.

Get Winamp 2.X if you want just a good audio player.

Don't get Winamp 3 as it sucks memory like mad and has no real benefits.

Winamp 4 doesn't exist.

Winamp 5 is kinda like what Winamp 3 was supposed to be. It supports the pretty (and useless IMHO) new skins and is also very stable. It also has very nice internet TV video streaming. I run Winamp 5 because I have a Gig of memory and am not bothered by its 10-20 meg footprint.

There are also a whole heck of a lot of plugins for winamp to do various things like controlling it via remote control, ripping audio streams off the web and even have a little character dance on the screen.

Re:WinAmp Use

[crabpeople]

the one great use that IMHO beats hands down any other media player, is the use of Hotkeys in winamp 5. with this turned on (not on by default) you have a whole range of keyboard shortcuts that can be used to control winamp.

some ones i use every day are CTRL + ALT + PG DOWN to forward the track, CTRL + ALT + Down Arrow , to lower volume for when phone rings and CTRL + ALT + Insert to restart a track. there are many others to do basically any function. you can change them to whatever you want as well. Primarily i would use these when im in a fullscreen game as before i would have to alt + tab out to change the track (very annoying)

better off using media player classic (my favourite distro is something called the ACE mega codec pack{large DL like 40-50megs}, i have yet to find something it cant play).

basically, its free, its light (680k download 1.5mb install) highly configurable, plays every audio file imagineable, built in crossfader and hotkeys, and is the most popular user driven project in the windows world (IMHO). I say that because most plugins are made by users, and although i havent actually made one, i could imagine it being easy as there are over 30k of them.

Re:WinAmp Use

[Roofus]

Actually I think the fellows who made XMMS wanted a Linux version of Winamp... in fact XMMS skins are the same format as the old winamp skins.

Yes. Winamp was out before XMMS. Actually, XMMS used to be called X11Amp, which was when I first tried it.

Let me tell you, when X11Amp first came out, it wasn't even close to the quality and features that Winamp had. It was the best thing around for Unix MP3 playback though, and it's improved and matured greatly since then.

Re:WinAmp Use

[Jester99]

What winning argument do I use to say "use WinAmp instead of..." to Windows users who ask?

It really whips the llama's ass! :)

Wow

[GarfBond]

I can't believe people are actually complaining about winamp bloat. Winamp has been one of the better examples of not-bloat. Sure, 5 is worse than 2, but it's better than 3, and much of the CPU-hogging goes away when you go back to classic skins. For me, the enqueue function makes it well worth it.

I think the only way you can get less bloated is if you used something like mpg123. XMMS is a winamp-clone on linux anyway.

wrong.

[honold]

winamp3 was the bloated piece of crap. winamp5 is not a bloated piece of crap. they dropped wasabi. please check your facts before making posts.

Re:wrong.

[phoenix.bam!]

I wish people bothered to actually learn what Wasabi is. Winamp3 used Wasabi to showcase the technology. It is a scripting language that can do anything (IE: be an mp3 player.) Winamp5 incorporates Wasabi, but it does not run on it. (Winamp5 is ACTUALLY the next version of Winamp2, with parts from Winamp3, hence 2+3=5)

Re:wrong.

[default+luser]

No, the sound quality went to hell after version 2.22 because they dropped the Fraunhofer codec. I believe it was because Fraunhofer was raising ( or enforcing?) licenses on their suddenly valuable IP.

They ended up making a replacement codec in-house. A lot of people initially complained about the sound quality, but they improved it with every release, and supposedly since 2.666 the rendering bugs have been removed. It sounds great, and performs well.

Re:wrong.

[ishamael69]

Here you go.

Re:wrong.

[LucidityZero]

Recommended system requirements

* 1.5 GHz Pentium IV or comparable
* 128MB RAM
* 30MB Hard Disk Space
* 32bit Sound Card
* Windows 2000, Windows XP
* 8x speed or greater CD Burner (Required for Burning)
* 16x speed or greater CDROM (Required for Ripping)

And it's not bloated?

Re:wrong.

Be sure to buy a computer that wasn't manufactured in fucking 1956 Soviet Russia, asshole.

This is major

[Tobias+Luetke]

I'm sure the millions of people who use Winamp as their main browser will not like this at all.

And since winamp uses IE for web page rendering people are used to so high standards for security.

bummer.

I was wondering when it would happen.

[Phybersyk0]

I used to track mods on the Amiga (protracker) and PC (Fast Tracker2). It was a fairly common occurence for people to load text/image files into songs as a playable instrument within a music module. You could then transfer the module (which contains both the instrument samples & the pointers to the coded music (it's all addressed through HEX!)) and then extract the datafile (save instrument as...) then view it in your favorite image viewer or text editor....

FYI:
Data files as instruments do not really sound as cool as you'd think though. If the file has header info, that's where you'd find the most variety and interesting sounds...

Mikamp module

[execom]

If I remember, Winamp uses a modified version of Mikmod, a well known module player, which is also available in some Linux distro.

Will this bug be updated in mikmod as well ?

I hope that one day, Winamp will drop Mikamp and use Modplug instead, which sources has been released and it the best player on Win32 (mikmod sounds horrible on Windows, and is buggy).

Also modplug plays more formats and is better, although is win32 only;

Re:Mikamp module

[Stephen+Williams]

Also modplug plays more formats and is better, although is win32 only

There's a port to XMMS. Works for me.

-Stephen

Why are you using Winamp to play XM's anyway?

[spyrochaete]

Since version 2, Winamp has been notorious for playing MOD, XM, S3M, and related files inaccurately. It fudges up a lot of the effects, particularly portamento (note slide) and key-off commands. You all should be using ModPlug Player to play these formats! It ain't perfect but it's the best Windows player there is.

Why get this player? So that you can drink deeply from the cup of BBS\Internet history! Check out some MOD sites and dig some chippy goodness!

SHAMELESS PLUG -- Be sure to scope out my MODs as well!

Don't load in startup

[DR+SoB]

Here's an idea to keep yourself free from these type of third party software security issues.

Don't have it automatically load at boot. Simple! Next, change your association's to only load the files you want (for example, I don't know _anyone_ that uses Winamp for more then video playing and mp3's, what's with the .XM files?) So, go to command prompt (or your favourite association editor) and type ASSOC and change the association of .XM files.. Pretty simple.. In fact, change all associations except .WAV, .MP3 and .MPEG (or whatever video/audio formats you prefer), that deal with Winamp.

Another way to change file associations is to go into Explorer, "Tools" pull down menu, select "Folder Options", click the tab "File Types" and you can delete them from here.

Now this solves the loading problem, if it loads only when you click on your MP3 you don't have to worry about it leaving open ports (this goes for any third party software you don't need running all the time..). Not only will this prevent this sort of attack, but you'll get some freed resources, and a faster boot time, 'to boot'!..

No upgrade required

If for some reason it is impossible to download the updated version of
Winamp, the vendor has informed NGSS that it is possible to disable the
handling of Fasttracker 2 module files by taking the following steps:

1. Right click the Winamp player, go to 'Options' and then to
'Preferences...'.

2. In the new window which loads, go to 'Plug-ins' and 'Input'.

3. Look for the input plug-in items 'Nullsoft Module Decoder' and double
click it to bring up the 'Nullsoft Module Decoder Preferences' window.

4. Select the 'Fasttracker 2' loader and deselect the 'Enabled' checkbox to
the right of the loaders list.

5. Close all of the option windows and return to the main player.

Third Party Software Sucks

[Mordack]

Crap like this is why you should never use third party software like Winamp. Stick with Microsofts line of quality products and you'll be safe.

Seriously, just look at the time it took to fix this bug. I could almost read the entire headline before the fix. The bug took as long to fix as to read the comma between "Discovered" and "Patched". I expect better from Third Party software.

Until Third Party software is able to show they care about their products I can only recommend that you stick with 100% Microsoft Approved Solutions.

More than a security fix

[superyooser]

Many small bug fixes and improvements are included in this new version (5.03) just from 5.02. Also interesting is that they removed AOD (those annoying AOL On Desktop links) from the installer.

* fixed a crash bug when playing some AVI files in in_dshow
* added multimedia keyboard keys in global hotkeys default configuration
* added "Manual playlist advance" in Repeat button popup menu in Classic mode
* improvements in MP3 encoder configuration (added --alt-preset standard, etc...)
* made the tabs in the preferences XP correctly themed under Windows XP
* revamped the Media Library preferences a bit
* new experimental WMA9 input plugin
* gen_jumpex updates from DrO
* added "Nuke library" action in Media Library
* more upside down videos fixes
* fixed crash if a plugin generated a pledit wm_windowposchanged on shutdown
* fixed crash exploit in in_mod (thanks Peter Winter-Smith)
* fixed various crashes in in_midi when playing invalid files
* made in_midi store its settings in winamp.ini instead of the registry
* fixed error during installation on computers with chinese/oriental regional settings
* removed AOD from installer
* added Shift-R to toggle manual playlist advance
* updated VP6 video decoder to latest VP6.2 code
* fixed crash when launching winamp with very long filenames from explorer
* made registration dialog to appear in Explorer's taskbar when installing pro version
* fixed pledit/video windows showing up at startup when minimized
* modern skins updates :
- winamp modern skin now uses a 3 state repeat button: no repeat/repeat all/repeat track
- added appplication desktop toolbars capabilities for layouts, add appbar="left|top|right|bottom" to
use them
- upped maki binary version, improved stack protection
- current skin version number is 1.2 (this should not change for a long while now, and of course we continue
to support 0.8 to 1.1)
- (very) limited maki debugger (for now you can bring it up with invokeDebugger(); in a script then use 'x'
- to continue and 'i' to trace into)
- fixed obscure capture problem with dragging windows
- fixed rectrgn being forced to 1 in xml xuiobject buttons that are originally imageless
- fixed hilited state not on after clicking on buttons while the mouse stays in area
- fixed scripted onEnterArea/onLeaveArea not being always correctly called while mouse button stays down
- fixed getToken being passed NULL throwing guru
- fixed clipping of painting within the background's region of a group rather than within the composed
region (the one you can change with sysregion)
- fixed image cache problem when using the same bitmap as a map and a button image parameter

Fix for winamp 2.91

[C32]

Just do a minimal install of 5.03 (without letting it integrate into the shell, etc) and copy the new in_mod.dll from /winamp5dir/plugins to /winamp2.91/plugins..

While you're at it; all the new and updated input plugins (in_mp3, in_midi, etc) seem to work just fine in 2.91.

Just use Foobar2000...

[Lakedemon]

The core Foobar2000 is quite slim and....
you can choose to download and install the open source components (official or third parties) that you want....
this is customization as it should be.

Windows itself costs

[tepples]

last time I checked WMP didn't cost anything either.

Any program distributed only with Microsoft Windows costs 150 USD or so for a Windows XP Pro OEM license. So does any Win32 program designed to bail if it detects Wine.

Re:Aha!

[JofCoRe]

Holy shit! Here's a reason not to upgrade:

in requirements:
500MHz Pentium III or comparable

One of the systems that I use winamp on is a Pentium-133 laptop that sits on my entertainment center and plays mp3's thru my stereo.

Why does it take a PIII-500 to play mp3's? It seems to be working fine on the p133 right now. Seems to me like too much extra bloat...

Fresh from the llama's ass

[t0qer]

This quality karma whoring brought to you by toqerTV

Hot off #nullsoft

i don't even think the exploit is in our code
ron, is the exploit in the decoder?
isn't it in mikmod
When is the Mac version of this exploit coming out?
I am so tired of waiting.
hehe
i don't think we even wrote that xm decoder
*** Quit: statsbot (Ping timeout: 180 seconds)
*** Join: DrunkenMaster (DM@adsl-66-159-200-78.dslextreme.com)
`steev: the exploit was in the mikmod library that's used by in_mod for xm decoding
so its not even our code heh
yeah
there you go
it's not even our fault the exploit exists

So this isn't even a winamp bug, it's a mikmod bug.

Re:Upgrade to version 1.45

[moosesocks]

Spyware and bloat???

Winamp certianly does not have spyware included in it! Real, MusicMatch and others may, but winamp has a very clean reputation. Since they're owned by AOL, an AOL icon is placed on your desktop (although the last time I used it, the installer actually PROMPTED you if you wanted it there!).

Winamp had bloat problems with version 3. It sucked. Everyone who's involved with winamp, even the developers, acknowledge this. Winamp 5 is MUCH better. With 'new' skins enabled, it takes up slightly more than winamp 2 (which didn't support 'new skins). Disabling the skins results in winamp 5 occupying LESS ram than winamp 2. This is quite an accomplishment, as winamp 2 has been around for many years. Any modern windows PC should be able to run it without a problem. Very few programs can make this claim any more.

If your computer can't spare the 5mb or so that winamp5 takes up, you need to consider an upgrade!

You want 2.81?

[Ayanami+Rei]

http://download.nullsoft.com/winamp/client/winamp2 81_full.exe

At least they still host it. (you can also s/full/lite in the URL)

Re:You want 2.81?

[toddestan]

There is also a mostly complete list of old Winamp versions at www.oldversion.com for anyone who is interested.

Link.

Re:Aha!

[FreeForm+Response]

All I want it to do is play mp3's...

foobar2000 will serve your needs well. It does everything you could possibly want to do within the realm of playing music, and virtually nothing else. Low memory footprint/CPU requirements, simple and functional GUI (without fancy skins), and very powerful. Check it out.

Oh no, am I vulnerable

[whitmer]

Does this also affect my current version of XMMS?!

Oh wait, wrong OS. Never mind.

Warning!! Win32 Version is not Stable!

[Dolemite_the_Wiz]

This new version crashes hard (drwatson) after adding songs from a directory and then trying to play them in WinAmp.

Vulnerablity or not, I'm going back to the old version.

Dolemite
__________________________