Slashdot Mirror

← Back to Stories (view on slashdot.org)

Winamp Skin Exploit in the Wild

Posted by ryuzaki0 on from the even-skins-are-dangerous-now dept.

An anonymous reader writes "Secunia.com has announced an exploit (derived from xml escaping the Internet zone into IE's local zone) that exploits Winamp's habit of automatically installing skins. Currently all versions of Winamp are affected. Details on the Winamp forums - apparently an exploit is already in the wild, and spreading."

8 of 397 comments (clear)

  1. Simple solutions by JLSigman · · Score: 5, Informative

    Don't get your skins from anyone but WinAMP.

    OR

    Don't use skins at all.

    --
    -jls
    Techno-pagan
    1. Re:Simple solutions by _Sprocket_ · · Score: 5, Informative


      Don't get your skins from anyone but WinAMP.

      That would be fine advise if the victims knew they were downloading a Winamp skin. The link, however, looks like it is an image file:
      http://socold.de/stuff/schnappi_death.jpg <----- LOOOOOOOOOOOOOOOOOOOOL
      Going clicky-clicky (or otherwise following the link) exacuted a PHP script which would serve up a winamp skin. Since many users have their browsers automagically handle Windamp skins, it would immediately get handed off to Winamp to execute. The skin linked to several files that eventually called an executable within the skin package which in turn loaded one's mIRC client with a script that spat out the above message.

      The victims probably didn't know what hit them.
  2. Fixes... by xdeadbeef · · Score: 5, Informative
    • Use Firefox as your default browser (which won't auto-launch skins), or...
    • don't install modern skin support in winamp (or delete plugins\gen_ff.dll if you already are installed), or...
    • get winamp 5.05 when it comes out in a day or two.
  3. Winamp Unlimited Has The Full Report by lotsofno · · Score: 5, Informative

    .

    Winamp Unlimited has a friendly summary on how the worm infects the user, as well as steps one can take to avoid being infected.

    This is also worth noting: "The Nullsoft team have already implemented a patch for this exploit, which will be included in a very-near future release5.04a or 5.05. This next version is already in its third beta stage, and will include several other unrelated changes/fixes."

  4. Re:All versions are affected? by Will+Fisher · · Score: 5, Informative

    Winamp 2 is NOT affected. Winamp 5 Lite is also NOT affected.

    If you unchecked "Modern Skin Support" in the installer you are also NOT affected.

    You can even remove Modern Skin Support just by renaming Program Files\Winamp\Plugins\gen_ff.dll to gen_ff.dll.old. This will remove the exploit.

    If you fix this way, you will only be able to use classic skins.

  5. Re:All versions are affected? by lotsofno · · Score: 5, Informative

    .
    What many people don't realize is that Winamp 5 IS Winamp 2 (Check out this this article.). It's the same code, but with extra plug-ins bundled in. The user can choose which plug-ins or features he wants to include or not include when installing. So I'm not sure how you could call the application bloated when the app installs only what the user feels he or she needs.

  6. Re:Assistance for the clueless by gwernol · · Score: 5, Informative

    I'm an idiot--I don't get it. Can anybody help?

    Flensing means to remove the skin from something.

    --
    Sailing over the event horizon
  7. Re:Mozilla by Anonymous Coward · · Score: 5, Informative

    This isn't a IE exploit. It can affect Firefox too if your not carefull. It's entirly an Winamp exploit, cause even in firefox it will prompt you to download the file, and open it... if you open it, you're affected. :/

    The link is dead now, but I'm guessing the exe file just looks to see if mIRC is running, and gets the path, and extracts+runs some mIRC scripts. Classic trojan technique. Really not terribly difficult to make.

    ^^^
    taken from Winamp Forums.

    So does it matter?