Slashdot Mirror

← Back to Stories (view on slashdot.org)

Winamp Skin Exploit in the Wild

Posted by ryuzaki0 on from the even-skins-are-dangerous-now dept.

An anonymous reader writes "Secunia.com has announced an exploit (derived from xml escaping the Internet zone into IE's local zone) that exploits Winamp's habit of automatically installing skins. Currently all versions of Winamp are affected. Details on the Winamp forums - apparently an exploit is already in the wild, and spreading."

35 of 397 comments (clear)

  1. yet another way... by ryane67 · · Score: 5, Funny

    to compromise a system..

    Luckily the masses of windows users are content to use windows media player which should slow the spread of this.

    --
    ?SYNTAX ERROR IN LINE 42
    1. Re:yet another way... by BoldAC · · Score: 4, Insightful

      Yet another way?

      Seems like the same old crap to me...

      You convince some sucker to download and load something that isn't what it says it is. We've reported aim exploits that hide themselves as screensavers recently.

      It's a major security problem when a program blindly executes something. Period.

      It's a major security problem when people download untrusted winamp skins on IRC.

      What can you do?

    2. Re:yet another way... by black+mariah · · Score: 5, Funny
      What can you do?
      Well, when I'm dictator it will be legal to punch people in the face for doing stupid shit like that. Ought to help out a bit. Imagine a technician comes to your home, you tell them what's wrong and what you did... WHAM! A nice fist in the face. Hell of a deterrent, that.
      --
      'Standards' in computing only impress those who are impressed by things like 'standards'.
  2. Damn you Britney! by ZipR · · Score: 5, Funny

    I knew that your oh-so-sexy winamp skin would be my downfall.

  3. Mozilla by linuxci · · Score: 5, Insightful

    One of the winamp betas had the option to use the mozilla engine rather than the IE one. Shame they never spent more time on this feature then they could easily tell people they could fix this exploit by turning off the MS Engine.

    1. Re:Mozilla by JanusFury · · Score: 4, Informative

      Yeah, I remember that option. Funny, it never worked. I'm still not sure if it was Nullsoft's fault, or if moz embedding is just flaky. I can't really think of any apps I have that embed Gecko - it's all pretty much IE these days.

      --
      using namespace slashdot;
      troll::post();
    2. Re:Mozilla by Anonymous Coward · · Score: 5, Informative

      This isn't a IE exploit. It can affect Firefox too if your not carefull. It's entirly an Winamp exploit, cause even in firefox it will prompt you to download the file, and open it... if you open it, you're affected. :/

      The link is dead now, but I'm guessing the exe file just looks to see if mIRC is running, and gets the path, and extracts+runs some mIRC scripts. Classic trojan technique. Really not terribly difficult to make.

      ^^^
      taken from Winamp Forums.

      So does it matter?

    3. Re:Mozilla by unixbob · · Score: 4, Informative

      not quite. It's a cross browser problem because whatever browser you use will pass the .wsz or .wal straight to winamp. But the embedded browser in winamp (which is IE) executes an .exe that's included within the .wsz archive because it thinks it's being run from the local zone instead of the Internet Zone. Therefore it's a bug in IE and Windows (and winamp).

      The bug isn't that the browser passes the file to the correct handler app, but that the app itself executes code it shouldn't.

      --
      The Romans didn't find algebra very challenging, because X was always 10
  4. Can I name the worm?? by Lux · · Score: 4, Funny

    I propose "flensing."

  5. Further evidence that skinning is stupid by pestie · · Score: 5, Funny

    Seems to me I was just bitching about skinning and mentioned that security holes were one possible (but unlikely) down-side. I love when the universe makes my point for me.

  6. Am I the only one... by psoriac · · Score: 4, Interesting

    who unchecks every option in any program I install that begins with "Automatically [check for/download] and install ..."?

    --
    I browse Slashdot at +3, Funny
    1. Re:Am I the only one... by telstar · · Score: 5, Funny

      I dunno, but I like posts whose entire message changes if you neglect to read the subject.

  7. Simple solutions by JLSigman · · Score: 5, Informative

    Don't get your skins from anyone but WinAMP.

    OR

    Don't use skins at all.

    --
    -jls
    Techno-pagan
    1. Re:Simple solutions by _Sprocket_ · · Score: 5, Informative


      Don't get your skins from anyone but WinAMP.

      That would be fine advise if the victims knew they were downloading a Winamp skin. The link, however, looks like it is an image file:
      http://socold.de/stuff/schnappi_death.jpg <----- LOOOOOOOOOOOOOOOOOOOOL
      Going clicky-clicky (or otherwise following the link) exacuted a PHP script which would serve up a winamp skin. Since many users have their browsers automagically handle Windamp skins, it would immediately get handed off to Winamp to execute. The skin linked to several files that eventually called an executable within the skin package which in turn loaded one's mIRC client with a script that spat out the above message.

      The victims probably didn't know what hit them.
  8. All versions are affected? by httpamphibio.us · · Score: 4, Informative

    The Securia.com link in the profile says that only Winamp 3.x and 5.x. But doesn't mention 2.x... the vast majority of Winamp users I know don't use 3.x or 5.x due to the massive feature bloat.

    Is 2.x actually susceptible or is the submitter incorrect?

    --
    sig.
    1. Re:All versions are affected? by Will+Fisher · · Score: 5, Informative

      Winamp 2 is NOT affected. Winamp 5 Lite is also NOT affected.

      If you unchecked "Modern Skin Support" in the installer you are also NOT affected.

      You can even remove Modern Skin Support just by renaming Program Files\Winamp\Plugins\gen_ff.dll to gen_ff.dll.old. This will remove the exploit.

      If you fix this way, you will only be able to use classic skins.

    2. Re:All versions are affected? by lotsofno · · Score: 5, Informative

      .
      What many people don't realize is that Winamp 5 IS Winamp 2 (Check out this this article.). It's the same code, but with extra plug-ins bundled in. The user can choose which plug-ins or features he wants to include or not include when installing. So I'm not sure how you could call the application bloated when the app installs only what the user feels he or she needs.

  9. All Versions? by (54)T-Dub · · Score: 4, Informative
    I know that a lot of us "old school" winamp users still use the classic winamp lite v2.81 [plug] I much lighter version of the software[/plug]. The article states that it affects:
    • WinAMP 3.x
    • Winamp 5.x
    --

    "I can not bring myself to believe that if knowledge presents danger, the solution is ignorance" - Isaac Asimov
  10. Redmond school of engineering by Rosco+P.+Coltrane · · Score: 4, Interesting

    Program skins with "browser tags" and "embedded xml"? sheesh, what next, word processor documents that have executable code inside?

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
  11. Fixes... by xdeadbeef · · Score: 5, Informative
    • Use Firefox as your default browser (which won't auto-launch skins), or...
    • don't install modern skin support in winamp (or delete plugins\gen_ff.dll if you already are installed), or...
    • get winamp 5.05 when it comes out in a day or two.
    1. Re:Fixes... by Thrymm · · Score: 5, Insightful

      Amen! I use it to play music, I dont look at the damn thing. I know some people love skins, for me I dont need it, just need to hear the music not see the colors!

  12. Winamp Unlimited Has The Full Report by lotsofno · · Score: 5, Informative

    .

    Winamp Unlimited has a friendly summary on how the worm infects the user, as well as steps one can take to avoid being infected.

    This is also worth noting: "The Nullsoft team have already implemented a patch for this exploit, which will be included in a very-near future release5.04a or 5.05. This next version is already in its third beta stage, and will include several other unrelated changes/fixes."

  13. Skinning is Worth It by Anonymous Coward · · Score: 5, Funny
    Having to periodically wipe your system and reinstall from backups is a small price to pay for the ability to have your apps look like real equipment.

    I mean, WinAmp can actually look like different kinds of real CD players! Can you believe that? It can look like all sorts of things; it doesn't have to look like a rectangular window at all. That just rocks! You can even change the way it looks at runtime! You can download whole new looks! Man, that is too cool.

    Kudos to those guys. This is the kind of thing that really makes computing fun.

  14. Expect these to grow more common... by hanssprudel · · Score: 5, Interesting


    Now that people have started to use firewalls, and the risk of worms and rootkits that infect through open, exploitable, holes grows smaller, it is time to expect more and more exploits to follow alternative vectors.

    Note how many buffer-overflow exploits there have been in server daemons. Well, there is no reason to believe that servers are any worse written with regards to input than client applications - quite the contrary actually.

    People think they are safe with a firewall. But I'm willing to bet there are undiscovered exploits in just about every application they run. WinZip? WinAMP? Acrobat Reader? Media player? Anything that handles files received over the Internet is potentially a vector for viruses and possibly worms.

    This time it was bad escaping, which made the exploit trivial, but there a buffer overflow would have served just as well. Neither firewalls nor anti-virus software will protect you.

  15. Re:Assistance for the clueless by gwernol · · Score: 5, Informative

    I'm an idiot--I don't get it. Can anybody help?

    Flensing means to remove the skin from something.

    --
    Sailing over the event horizon
  16. Dumb Question by ewhac · · Score: 5, Interesting

    For what possible purpose does a skin -- which is essentially nothing more than graphical elements -- need to invoke the browser?

    WTF? Seriously, help me out here. I've only been a programmer for 25 years, so I may not understand the deeply compelling reasons driving such a design decision.

    Schwab

    --
    Editor, A1-AAA AmeriCaptions
    1. Re:Dumb Question by argent · · Score: 4, Informative

      A skin invokes the browser because Microsoft's got this tasty-looking rich-text, GUI, and graphics layout and rendering engine that they decided about seven years ago needed to be a core part of the OS. Which is all well and good, but it's not just a rich-text rendering engine, it's pretty much all of Internet Explorer but the window decorations and preferences utility.

      They did this not because it's a good idea for every application to have internet access and rich scripting with only a token sandbox about the potentially untrusted data they're displaying, but because they wanted to keep the DoJ from forcing them to compete with other companies that were producing web browsers.

      My response at the time was to ban the use of IE, Outlook, and any other application that I could think of or that I found out about that was using this component to view untrusted documents. Well, I didn't ban them directly, I talked our CEO into it. I figured that most IT administrators and managers would do the same, because this was obviously just asking for trouble (I didn't know what trouble it would cause, but I knew it was asking for it). Then, when Melissa hit a little while later, I figured THAT would finally be enough to get people to ban these "typhoid mary" applications. I mean, anyone could tell this was doomed.

      Boy, was I naive. I forgot that people who haven't worked on computer security aren't nearly paranoid enough. I expect that on the 10th anniversary of the integration of IE with the desktop people will still believe Microsoft when they say they're serious about security this time.

      And I never would have imagined that Apple would follow suit and use the same LaunchServices for local applications opening things like help files and for web browsers to run plugins, helper apps, and so on...

      For the love of god, people, get on the horn to Microsoft, and Apple, and the folks at Mozilla.org who are still using these inherently broken APIs themselves (yes, Firefox has been demonstrated to respond to a couple of the same exploits). Tell them that ENOUGH is ENOUGH. You can't fix this with better heuristics, you can only fix it by making the sandbox unconditional... seperate the display code and the access code and give each application a choice of bindings (at the VERY least, 'this is the binding for trusted documents, this is the binding for untrusted documents, and this is the binding for you specifically').

  17. Re:School must've just gotten out. by machine+of+god · · Score: 4, Funny

    I notice the average vocabularical IQ drops about 50 points once 3pm EST hits.

    vocabularical.

    I believe you were saying something?

  18. revenge by bersl2 · · Score: 4, Funny

    I'm pretty sure the llama is tired of getting its ass whipped.

  19. How to fix IE, Safari, and everything else... by argent · · Score: 4, Insightful

    ANY library that works like the Microsoft HTML control (this is what Microsoft calls all the non-trivial bits of Internet Explorer... the IE application is just a thin wrapper around this) is at risk for exploitation. The only way to be sure that nobody's going to break out of your sandbox is to make sure that the application that creates the sandbox is the application that controls access from the sandbox, and that any helper applications it calls unconditionally implement their own sandboxes.

    If you use the *same* application, API, or application binding (eg, the file type bindings used by the desktop and the MS HTML control, or Apple's LaunchServices) for both sandboxed and trusted objects, then you open up the possibility that an untrusted object will look like a trusted object, or that an untrusted object will be passed to a handler that isn't inherently safe.

    Apple blew this with launchServices, and they still haven't really fixed the underlying problem. But they've only been in denial a few months, whereas Microsoft has been in denial about this for seven years, so let's look at Microsoft...

    Let's suppose the HTML control was split up, so it only did rendering. Whenever it wanted to open a file, open a URL, run a script, load a plug-in, it would ask the parent application "what do I do about a CHM file" or "what do I do about <script language=vbscript>". You'd have an "HTML-only control" and a "Web Access control" and IE would be a very slightly thicker wrapper around both.

    So then you register "Word Viewer"[1] with Outlook and IE as the helper application for Word documents, and "Word" with Windows Explorer as the helper application for trusted Word documents. If this was done, then Outlook (which would be a sandboxing application in this model) would open "Word Viewer" for untrusted documents.

    Viola, no more email-spread Word macro viruses.

    Similarly, Outlook would decline to run VBscript, and IE would decline to run the Windows Update plugin... you'd have a Windows Update program that was a thin shell around the HTML-only control... one that only opened windows update.

    Microsoft could have their cake and eat it too, and EVERYONE would have a more secure and less spammy environment.

  20. Re:Skinny Dipping by MrNemesis · · Score: 4, Informative

    Yes.

    http://http//www.crackbaby.com/article.php?sid=100 93

    Not tried it myself yet, but it replaces all calls to IE with calls to the browser of your choice.

    --
    Moderation Total: -1 Troll, +3 Goat
  21. Re:Winamp 2.xx..... by CritterNYC · · Score: 4, Informative

    Who the fuck uses the crappy bloated recourse hog that is 5.x anyway.... ah Internet Explorer users.

    5.x playing in the background using 0% CPU and under 6mb of RAM... about what 2.x uses... with a feature-set comparable to iTunes without the huge iTunes resource overhead, 3 installed services, etc, etc. A "lightweight" media player like foobar2000 is ~1% CPU and 11mb RAM.

    --
    Portable versions of Firefox, GIMP, LibreOffice, etc
  22. Is calculator safe? by rs79 · · Score: 5, Funny

    In related news, our editors today learned of the calc_virus; remote explotation of Windows Calculator utility is possible and attackers can gain access to your machine via this program. The announcment that MS recommends you use an abacus was heralded as a remarkable advance in system security

    --
    Need Mercedes parts ?
  23. Re:Super-simple MP3 Player by Kurrurrin · · Score: 4, Informative

    Foobar does
    http://www.foobar2000.org/
    Handy, simple, small, and will go straight to the system tray.

    --
    -Doug
  24. Foo! by ralphus · · Score: 4, Insightful

    Why are you geeks worried? Shouldn't you be using Foobar2000 anyway? It is about 2000 X better than winamp and packed with geek friendly features.

    --
    Revolutions are never about freedom or justice. They're about who's going to be top dog. -- Kilgore Trout