WinAmp Security Hole Discovered, Patched

Sbarbero writes "According to Techworld.com, a significant security hole has been discovered in NullSoft's WinAmp, meaning everyone should upgrade to the 5.03 version the makers have just put out right now. Security company NGS has found that the exploit 'can be activated remotely simply by rendering a specially crafted html document' and will run arbitrary code - they have a full advisory on their site." Oddly enough, the vulnerability is in the playback for the classic .XM 'tracker' music format.

Re:Aha!

Umm, no. From the advisory:

Systems Affected: Nullsoft Winamp versions 2.91 to 5.02 (possibly older versions, although this is not confirmed)

Thank goodness

[ackthpt]

Thank goodness I don't listen to music/radio on my computer. You never know where such a thing could lead to.

Hi from Napster! We've been tracking your listening habits and suggest the following music...Barry Manilow, Air Supply, Leo Sayer. If you act now and buy, we won't tell your friends or neighbors.

What I think everyone wants to know is...

[Bytal]

whether this affects the old 2.x series?

Re:What I think everyone wants to know is...

[stefanlasiewski]

Yes, According to the notice:


Systems Affected: Nullsoft Winamp versions 2.91 to 5.02 (possibly older versions, although this is not confirmed)

Damnit!

[teamhasnoi]

When is the Mac version of this exploit coming out?

I am so tired of waiting.

Re:Damnit!

[blixel]

When is the Mac version of this exploit coming out?

Doesn't matter. No one will be able to afford it.

Re:Where's my patched 2.9x?

[The+Human+Cow]

Last time I checked, Winamp 5 used much the same amount of system resources as Winamp 2.
Winamp 3, on the other hand, is a whole different ball game.

Re:Where's my patched 2.9x?

[Eponymous+Cowboy]

Just do what I did, on 2.80:

Delete in_mod.dll from the "Plugins" directory.

Hole: Patched.

Who uses MOD/XM files anymore anyways?

Re:Where's my patched 2.9x?

[Doesn't_Comment_Code]

bloated POS Winamp 5 player

You know your media player is too big when all the eye candy slows your older computers to the point they can't play mp3's without choking.

Upgrade to foobar instead.

[eddy]

You can always upgrade to http://www.foobar2000.org/ instead. No more nonstandard interface, a decent mass-tagger, excellent replay-gain support, etc. What's not to like?

WinAmp Use

[Eberlin]

Is WinAmp the free multimedia player of choice for Windows users? I know we've always talked about how Windows Media Player is eeeevil and RealPlayer is spyware. Where does WinAmp kick in? Does it do video or is it just a music thing? (like a free alternative to MusicMatch Jukebox or whatnot) It has been ages since I've follwed up (as a Linuxer I go between noatun and xmms)

Basically, I guess the question is how to make a strong case for WinAmp use. I already sing the praises of Firefox and recommend OpenOffice to folks who don't want/can't shell out $$ for MS Office. I recommend AVG as a free virus-scanner. Same with ZoneAlarm, Spybot S&D, and Ad-Aware. What winning argument do I use to say "use WinAmp instead of..." to Windows users who ask?

Wow

[GarfBond]

I can't believe people are actually complaining about winamp bloat. Winamp has been one of the better examples of not-bloat. Sure, 5 is worse than 2, but it's better than 3, and much of the CPU-hogging goes away when you go back to classic skins. For me, the enqueue function makes it well worth it.

I think the only way you can get less bloated is if you used something like mpg123. XMMS is a winamp-clone on linux anyway.

Re:Er...

[TheFlyingGoat]

It doesn't just affect people who use the minibrowser. If you have Winamp set up as the default program for xm files, you're vulnerable. All someone would have to do is redirect the web page to a malformed page that sends a Content-Type: audio/xm (or whatever) header. This would execute Winamp, attempt to load the location, and cause problems.

wrong.

[honold]

winamp3 was the bloated piece of crap. winamp5 is not a bloated piece of crap. they dropped wasabi. please check your facts before making posts.

Re:wrong.

[phoenix.bam!]

I wish people bothered to actually learn what Wasabi is. Winamp3 used Wasabi to showcase the technology. It is a scripting language that can do anything (IE: be an mp3 player.) Winamp5 incorporates Wasabi, but it does not run on it. (Winamp5 is ACTUALLY the next version of Winamp2, with parts from Winamp3, hence 2+3=5)

Mikamp module

[execom]

If I remember, Winamp uses a modified version of Mikmod, a well known module player, which is also available in some Linux distro.

Will this bug be updated in mikmod as well ?

I hope that one day, Winamp will drop Mikamp and use Modplug instead, which sources has been released and it the best player on Win32 (mikmod sounds horrible on Windows, and is buggy).

Also modplug plays more formats and is better, although is win32 only;

Why are you using Winamp to play XM's anyway?

[spyrochaete]

Since version 2, Winamp has been notorious for playing MOD, XM, S3M, and related files inaccurately. It fudges up a lot of the effects, particularly portamento (note slide) and key-off commands. You all should be using ModPlug Player to play these formats! It ain't perfect but it's the best Windows player there is.

Why get this player? So that you can drink deeply from the cup of BBS\Internet history! Check out some MOD sites and dig some chippy goodness!

SHAMELESS PLUG -- Be sure to scope out my MODs as well!

Don't load in startup

[DR+SoB]

Here's an idea to keep yourself free from these type of third party software security issues.

Don't have it automatically load at boot. Simple! Next, change your association's to only load the files you want (for example, I don't know _anyone_ that uses Winamp for more then video playing and mp3's, what's with the .XM files?) So, go to command prompt (or your favourite association editor) and type ASSOC and change the association of .XM files.. Pretty simple.. In fact, change all associations except .WAV, .MP3 and .MPEG (or whatever video/audio formats you prefer), that deal with Winamp.

Another way to change file associations is to go into Explorer, "Tools" pull down menu, select "Folder Options", click the tab "File Types" and you can delete them from here.

Now this solves the loading problem, if it loads only when you click on your MP3 you don't have to worry about it leaving open ports (this goes for any third party software you don't need running all the time..). Not only will this prevent this sort of attack, but you'll get some freed resources, and a faster boot time, 'to boot'!..

No upgrade required

If for some reason it is impossible to download the updated version of
Winamp, the vendor has informed NGSS that it is possible to disable the
handling of Fasttracker 2 module files by taking the following steps:

1. Right click the Winamp player, go to 'Options' and then to
'Preferences...'.

2. In the new window which loads, go to 'Plug-ins' and 'Input'.

3. Look for the input plug-in items 'Nullsoft Module Decoder' and double
click it to bring up the 'Nullsoft Module Decoder Preferences' window.

4. Select the 'Fasttracker 2' loader and deselect the 'Enabled' checkbox to
the right of the loaders list.

5. Close all of the option windows and return to the main player.

Re:xm?

[understyled]

back before mp3 was an option MODs were the shit. XM in particular had numerous things going for the format, including a nicely designed tracker (Fasttracker 2). I was into modding and tracking myself, but i stuck to Impulse Tracker. both programs are quite similar.. but to answer your question, is this a widely used format? it was. the digital music archive has numerous xm songs, if you're an unbeliever. i'm sure google has something to say about XM too.

Re:Where's my patched 2.9x?

[F452]

Or you can follow the instructions at http://www.nextgenss.com/advisories/winampheap.txt to disable xm at a lower layer. (This is from a link from the techworld article.)

Third Party Software Sucks

[Mordack]

Crap like this is why you should never use third party software like Winamp. Stick with Microsofts line of quality products and you'll be safe.

Seriously, just look at the time it took to fix this bug. I could almost read the entire headline before the fix. The bug took as long to fix as to read the comma between "Discovered" and "Patched". I expect better from Third Party software.

Until Third Party software is able to show they care about their products I can only recommend that you stick with 100% Microsoft Approved Solutions.

More than a security fix

[superyooser]

Many small bug fixes and improvements are included in this new version (5.03) just from 5.02. Also interesting is that they removed AOD (those annoying AOL On Desktop links) from the installer.

* fixed a crash bug when playing some AVI files in in_dshow
* added multimedia keyboard keys in global hotkeys default configuration
* added "Manual playlist advance" in Repeat button popup menu in Classic mode
* improvements in MP3 encoder configuration (added --alt-preset standard, etc...)
* made the tabs in the preferences XP correctly themed under Windows XP
* revamped the Media Library preferences a bit
* new experimental WMA9 input plugin
* gen_jumpex updates from DrO
* added "Nuke library" action in Media Library
* more upside down videos fixes
* fixed crash if a plugin generated a pledit wm_windowposchanged on shutdown
* fixed crash exploit in in_mod (thanks Peter Winter-Smith)
* fixed various crashes in in_midi when playing invalid files
* made in_midi store its settings in winamp.ini instead of the registry
* fixed error during installation on computers with chinese/oriental regional settings
* removed AOD from installer
* added Shift-R to toggle manual playlist advance
* updated VP6 video decoder to latest VP6.2 code
* fixed crash when launching winamp with very long filenames from explorer
* made registration dialog to appear in Explorer's taskbar when installing pro version
* fixed pledit/video windows showing up at startup when minimized
* modern skins updates :
- winamp modern skin now uses a 3 state repeat button: no repeat/repeat all/repeat track
- added appplication desktop toolbars capabilities for layouts, add appbar="left|top|right|bottom" to
use them
- upped maki binary version, improved stack protection
- current skin version number is 1.2 (this should not change for a long while now, and of course we continue
to support 0.8 to 1.1)
- (very) limited maki debugger (for now you can bring it up with invokeDebugger(); in a script then use 'x'
- to continue and 'i' to trace into)
- fixed obscure capture problem with dragging windows
- fixed rectrgn being forced to 1 in xml xuiobject buttons that are originally imageless
- fixed hilited state not on after clicking on buttons while the mouse stays in area
- fixed scripted onEnterArea/onLeaveArea not being always correctly called while mouse button stays down
- fixed getToken being passed NULL throwing guru
- fixed clipping of painting within the background's region of a group rather than within the composed
region (the one you can change with sysregion)
- fixed image cache problem when using the same bitmap as a map and a button image parameter

Fix for winamp 2.91

[C32]

Just do a minimal install of 5.03 (without letting it integrate into the shell, etc) and copy the new in_mod.dll from /winamp5dir/plugins to /winamp2.91/plugins..

While you're at it; all the new and updated input plugins (in_mp3, in_midi, etc) seem to work just fine in 2.91.

Re:Aha!

[JofCoRe]

Holy shit! Here's a reason not to upgrade:

in requirements:
500MHz Pentium III or comparable

One of the systems that I use winamp on is a Pentium-133 laptop that sits on my entertainment center and plays mp3's thru my stereo.

Why does it take a PIII-500 to play mp3's? It seems to be working fine on the p133 right now. Seems to me like too much extra bloat...

Re:Upgrade to version 1.45

[moosesocks]

Spyware and bloat???

Winamp certianly does not have spyware included in it! Real, MusicMatch and others may, but winamp has a very clean reputation. Since they're owned by AOL, an AOL icon is placed on your desktop (although the last time I used it, the installer actually PROMPTED you if you wanted it there!).

Winamp had bloat problems with version 3. It sucked. Everyone who's involved with winamp, even the developers, acknowledge this. Winamp 5 is MUCH better. With 'new' skins enabled, it takes up slightly more than winamp 2 (which didn't support 'new skins). Disabling the skins results in winamp 5 occupying LESS ram than winamp 2. This is quite an accomplishment, as winamp 2 has been around for many years. Any modern windows PC should be able to run it without a problem. Very few programs can make this claim any more.

If your computer can't spare the 5mb or so that winamp5 takes up, you need to consider an upgrade!