Slashdot Mirror
Winamp Skin Exploit in the Wild
An anonymous reader writes "Secunia.com has announced an exploit (derived from xml escaping the Internet zone into IE's local zone) that exploits Winamp's habit of automatically installing skins. Currently all versions of Winamp are affected. Details on the Winamp forums - apparently an exploit is already in the wild, and spreading."
Don't get your skins from anyone but WinAMP.
OR
Don't use skins at all.
-jls
Techno-pagan
The Securia.com link in the profile says that only Winamp 3.x and 5.x. But doesn't mention 2.x... the vast majority of Winamp users I know don't use 3.x or 5.x due to the massive feature bloat.
Is 2.x actually susceptible or is the submitter incorrect?
sig.
Yeah, I remember that option. Funny, it never worked. I'm still not sure if it was Nullsoft's fault, or if moz embedding is just flaky. I can't really think of any apps I have that embed Gecko - it's all pretty much IE these days.
using namespace slashdot;
troll::post();
"I can not bring myself to believe that if knowledge presents danger, the solution is ignorance" - Isaac Asimov
.
Winamp Unlimited has a friendly summary on how the worm infects the user, as well as steps one can take to avoid being infected.
This is also worth noting: "The Nullsoft team have already implemented a patch for this exploit, which will be included in a very-near future release5.04a or 5.05. This next version is already in its third beta stage, and will include several other unrelated changes/fixes."
I'm an idiot--I don't get it. Can anybody help?
Flensing means to remove the skin from something.
Sailing over the event horizon
This isn't a IE exploit. It can affect Firefox too if your not carefull. It's entirly an Winamp exploit, cause even in firefox it will prompt you to download the file, and open it... if you open it, you're affected. :/
The link is dead now, but I'm guessing the exe file just looks to see if mIRC is running, and gets the path, and extracts+runs some mIRC scripts. Classic trojan technique. Really not terribly difficult to make.
^^^
taken from Winamp Forums.
So does it matter?
Yes.
0 93
http://http//www.crackbaby.com/article.php?sid=10
Not tried it myself yet, but it replaces all calls to IE with calls to the browser of your choice.
Moderation Total: -1 Troll, +3 Goat
Who the fuck uses the crappy bloated recourse hog that is 5.x anyway.... ah Internet Explorer users.
5.x playing in the background using 0% CPU and under 6mb of RAM... about what 2.x uses... with a feature-set comparable to iTunes without the huge iTunes resource overhead, 3 installed services, etc, etc. A "lightweight" media player like foobar2000 is ~1% CPU and 11mb RAM.
Portable versions of Firefox, GIMP, LibreOffice, etc
A skin invokes the browser because Microsoft's got this tasty-looking rich-text, GUI, and graphics layout and rendering engine that they decided about seven years ago needed to be a core part of the OS. Which is all well and good, but it's not just a rich-text rendering engine, it's pretty much all of Internet Explorer but the window decorations and preferences utility.
They did this not because it's a good idea for every application to have internet access and rich scripting with only a token sandbox about the potentially untrusted data they're displaying, but because they wanted to keep the DoJ from forcing them to compete with other companies that were producing web browsers.
My response at the time was to ban the use of IE, Outlook, and any other application that I could think of or that I found out about that was using this component to view untrusted documents. Well, I didn't ban them directly, I talked our CEO into it. I figured that most IT administrators and managers would do the same, because this was obviously just asking for trouble (I didn't know what trouble it would cause, but I knew it was asking for it). Then, when Melissa hit a little while later, I figured THAT would finally be enough to get people to ban these "typhoid mary" applications. I mean, anyone could tell this was doomed.
Boy, was I naive. I forgot that people who haven't worked on computer security aren't nearly paranoid enough. I expect that on the 10th anniversary of the integration of IE with the desktop people will still believe Microsoft when they say they're serious about security this time.
And I never would have imagined that Apple would follow suit and use the same LaunchServices for local applications opening things like help files and for web browsers to run plugins, helper apps, and so on...
For the love of god, people, get on the horn to Microsoft, and Apple, and the folks at Mozilla.org who are still using these inherently broken APIs themselves (yes, Firefox has been demonstrated to respond to a couple of the same exploits). Tell them that ENOUGH is ENOUGH. You can't fix this with better heuristics, you can only fix it by making the sandbox unconditional... seperate the display code and the access code and give each application a choice of bindings (at the VERY least, 'this is the binding for trusted documents, this is the binding for untrusted documents, and this is the binding for you specifically').
Foobar does
http://www.foobar2000.org/
Handy, simple, small, and will go straight to the system tray.
-Doug
not quite. It's a cross browser problem because whatever browser you use will pass the .wsz or .wal straight to winamp. But the embedded browser in winamp (which is IE) executes an .exe that's included within the .wsz archive because it thinks it's being run from the local zone instead of the Internet Zone. Therefore it's a bug in IE and Windows (and winamp).
The bug isn't that the browser passes the file to the correct handler app, but that the app itself executes code it shouldn't.
The Romans didn't find algebra very challenging, because X was always 10