Winamp Skin Exploit in the Wild

An anonymous reader writes "Secunia.com has announced an exploit (derived from xml escaping the Internet zone into IE's local zone) that exploits Winamp's habit of automatically installing skins. Currently all versions of Winamp are affected. Details on the Winamp forums - apparently an exploit is already in the wild, and spreading."

yet another way...

[ryane67]

to compromise a system..

Luckily the masses of windows users are content to use windows media player which should slow the spread of this.

Re:yet another way...

[black+mariah]

What can you do?

Well, when I'm dictator it will be legal to punch people in the face for doing stupid shit like that. Ought to help out a bit. Imagine a technician comes to your home, you tell them what's wrong and what you did... WHAM! A nice fist in the face. Hell of a deterrent, that.

Damn you Britney!

[ZipR]

I knew that your oh-so-sexy winamp skin would be my downfall.

Mozilla

[linuxci]

One of the winamp betas had the option to use the mozilla engine rather than the IE one. Shame they never spent more time on this feature then they could easily tell people they could fix this exploit by turning off the MS Engine.

Re:Mozilla

This isn't a IE exploit. It can affect Firefox too if your not carefull. It's entirly an Winamp exploit, cause even in firefox it will prompt you to download the file, and open it... if you open it, you're affected. :/

The link is dead now, but I'm guessing the exe file just looks to see if mIRC is running, and gets the path, and extracts+runs some mIRC scripts. Classic trojan technique. Really not terribly difficult to make.

^^^
taken from Winamp Forums.

So does it matter?

Further evidence that skinning is stupid

[pestie]

Seems to me I was just bitching about skinning and mentioned that security holes were one possible (but unlikely) down-side. I love when the universe makes my point for me.

Simple solutions

[JLSigman]

Don't get your skins from anyone but WinAMP.

OR

Don't use skins at all.

Re:Simple solutions

[_Sprocket_]

Don't get your skins from anyone but WinAMP.

That would be fine advise if the victims knew they were downloading a Winamp skin. The link, however, looks like it is an image file:

http://socold.de/stuff/schnappi_death.jpg <----- LOOOOOOOOOOOOOOOOOOOOL

Going clicky-clicky (or otherwise following the link) exacuted a PHP script which would serve up a winamp skin. Since many users have their browsers automagically handle Windamp skins, it would immediately get handed off to Winamp to execute. The skin linked to several files that eventually called an executable within the skin package which in turn loaded one's mIRC client with a script that spat out the above message.

The victims probably didn't know what hit them.

Fixes...

[xdeadbeef]

• Use Firefox as your default browser (which won't auto-launch skins), or...
• don't install modern skin support in winamp (or delete plugins\gen_ff.dll if you already are installed), or...
• get winamp 5.05 when it comes out in a day or two.

Re:Fixes...

[Thrymm]

Amen! I use it to play music, I dont look at the damn thing. I know some people love skins, for me I dont need it, just need to hear the music not see the colors!

Winamp Unlimited Has The Full Report

[lotsofno]

.

Winamp Unlimited has a friendly summary on how the worm infects the user, as well as steps one can take to avoid being infected.

This is also worth noting: "The Nullsoft team have already implemented a patch for this exploit, which will be included in a very-near future release5.04a or 5.05. This next version is already in its third beta stage, and will include several other unrelated changes/fixes."

Re:All versions are affected?

[Will+Fisher]

Winamp 2 is NOT affected. Winamp 5 Lite is also NOT affected.

If you unchecked "Modern Skin Support" in the installer you are also NOT affected.

You can even remove Modern Skin Support just by renaming Program Files\Winamp\Plugins\gen_ff.dll to gen_ff.dll.old. This will remove the exploit.

If you fix this way, you will only be able to use classic skins.

Re:All versions are affected?

[lotsofno]

.
What many people don't realize is that Winamp 5 IS Winamp 2 (Check out this this article.). It's the same code, but with extra plug-ins bundled in. The user can choose which plug-ins or features he wants to include or not include when installing. So I'm not sure how you could call the application bloated when the app installs only what the user feels he or she needs.

Skinning is Worth It

Having to periodically wipe your system and reinstall from backups is a small price to pay for the ability to have your apps look like real equipment.

I mean, WinAmp can actually look like different kinds of real CD players! Can you believe that? It can look like all sorts of things; it doesn't have to look like a rectangular window at all. That just rocks! You can even change the way it looks at runtime! You can download whole new looks! Man, that is too cool.

Kudos to those guys. This is the kind of thing that really makes computing fun.

Expect these to grow more common...

[hanssprudel]

Now that people have started to use firewalls, and the risk of worms and rootkits that infect through open, exploitable, holes grows smaller, it is time to expect more and more exploits to follow alternative vectors.

Note how many buffer-overflow exploits there have been in server daemons. Well, there is no reason to believe that servers are any worse written with regards to input than client applications - quite the contrary actually.

People think they are safe with a firewall. But I'm willing to bet there are undiscovered exploits in just about every application they run. WinZip? WinAMP? Acrobat Reader? Media player? Anything that handles files received over the Internet is potentially a vector for viruses and possibly worms.

This time it was bad escaping, which made the exploit trivial, but there a buffer overflow would have served just as well. Neither firewalls nor anti-virus software will protect you.

Re:Assistance for the clueless

[gwernol]

I'm an idiot--I don't get it. Can anybody help?

Flensing means to remove the skin from something.

Dumb Question

[ewhac]

For what possible purpose does a skin -- which is essentially nothing more than graphical elements -- need to invoke the browser?

WTF? Seriously, help me out here. I've only been a programmer for 25 years, so I may not understand the deeply compelling reasons driving such a design decision.

Schwab

Re:Am I the only one...

[telstar]

I dunno, but I like posts whose entire message changes if you neglect to read the subject.

Is calculator safe?

[rs79]

In related news, our editors today learned of the calc_virus; remote explotation of Windows Calculator utility is possible and attackers can gain access to your machine via this program. The announcment that MS recommends you use an abacus was heralded as a remarkable advance in system security