Slashdot Mirror
Spyware Tunnels in on Winamp Flaw
Andy Philips writes "A security bug in Winamp is being exploited by miscreants to install spyware on machines running the media player software.
"After surfing to a malicious Web site on our test machines, the file 'x.pls' begins to download, Almost immediately, Winamp starts to execute the play list and remote code execution begins." Sunbelt's Adam Thomas wrote in a posting. The Winamp problem affects version 5.12 of the media player. Earlier versions may also be affected."
Once upon a time, I used Winamp.
... etc.
... the hot keys may have still been there but what I was looking for in a media player was not. For some reason, they seemed to think that competing with Windows Media Player meant mimicking it to every detail. Fine. I never want to touch Windows Media Player, it's about as useful as my appendix. And now I feel the same way about Winamp.
And it was good.
It was fairly lightweight, I could load in huge playlists of college-napster-garbage without slowdown and I knew all the hot keys for searching and what not.
Then that llama came into the picture. I think it must have been version three or four (I can't remember) when there was a damned llama or alpaca or whatever in a green field. Now, I love llamas and alpacas, don't get me wrong. The problem was that now Winamp was about "graphix" and "features" that were once plugins that I didn't want.
I don't know why they thought Winamp needed to be able to play videos but it did now. I don't know why they thought Winamp had to show stupid tripping-on-acid-harmonograph visualizations but it did now. I don't know why they thought Winamp had to melt songs together but it did now
On top of that, the memory footprint in Windows was crazy. And my roommate tried to put skins on Winamp that just made my computer shit its gourd. I was disgusted
Now there's a spyware flaw in Winamp. Am I surprised? Not really. They have gotten so complicated that there's probably a thousand holes in that application. They definitely lost site of what I was looking for--a plain jane slim audio player. Winamp's executing a remote method invocation through a playlist that can trigger itself to be automatically loaded and ran? Now that sounds like a "feature" I want my audio player to have.
Is this the first time this has happened? Nope, remember the zero day exploit that targeted skins in 2004? There's been a myriad of security issues with Winamp since it became more and more complicated.
"Gee, the way our audio player loads playlists isn't very secure. But it works and the people who use our application aren't interested in security--they're interested in playing AVI files on their audio player!"
So what would I recommend? Well, if you're using Linux, I can think of at least ten things better but XMMS would probably be my favorite. If you're running Windows, I like to use Quintessential Player which can be modified to be as complicated as new Winamp or can be
My work here is dung.
I was wondering why my mp3-collection was suddenly trying to sell me penis-lengthening pills!
...whips your computer's ass, as well as the llama's.
Editor Emeritus and Senior Writer, TeleRead.org
Link to WinAmp Free Player.
Because there is nothing wrong with fucking up your own computer.
There is nothing wrong with telling people how to fuck up their computers as well.
There is however something wrong if you use these tools to automatically fuck up other peoples computers.
liqbase
I know you will all correct me if I'm wrong, but if you don't have the .pls as a trigger for Winamp as a plugin, you're not vulnerable. Just set your browser to do something else with .pls (like offer to download). Or trash the file type association or set it for something other than Winamp.
Or if you're a luddite like me and can't stand plugins, prevent them all from working by commenting out the plugins lines in:
C:\Program Files\Common Files\mozilla.org\GRE\ [version here] \greprefs\all.js
This is assuming you use Mz or FF for web on Windows like a sensible person.
on you setting your browser to automatically using WinAMP for certain filetypes. Just alter or remove the links within your browser (assuming FF)
As usual, nothing to see here...
From ZDNet Asia: The flaw was disclosed on Monday, when Winamp maker Nullsoft, a division of America Online, released an update to fix it. The company posted version 5.13 of Winamp, while Secunia and other security companies issued alerts about the problem. Secunia rated the issue "extremely critical," its highest rating.
Flaw detected and removed. New version of Winamp out. Get the new version. Protected. Not much more difficult than that. Shouldn't there a be a "Software Vulnerabilties" section to Slashdot, where these things could be posted?
GetOuttaMySpace - The Anti-Social Network
A legal solution to a technical problem will never work. The involvement of politicians likely won't lead to secure consumer-grade software.
The best thing to do is to use technologies that encourage secure programming. We're talking about garbage collected languages, for instance, that reduce the risks of buffer overflows. And beyond that, start using BSD or Linux rather than Windows. Of course the list goes on and on.
Cyric Zndovzny at your service.
A small plug for the greatest MP3 player in existance, Foobar2000
It's so awesomely customisable, it hurts.
The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
More of the same.
Woah, they even got the might dot! My quip down the bottom was System going down in 5 minutes.
Nice work!
Sendmail is like emacs: A nice operating system, but missing an editor and a MTA.
It should be noted that no application is secure enough (except some 'Hello World!' implementations). It's not unusual that one should get hotfixes, service packs, etc. to keep ones system (relatively) secure against crackers. If you like winamp get the update and relax. As other folks said you may use other applications, mplayer is my favourite one. Of course I run it on Linux.
Isn't this like reporting on something exploiting an old bug in xmms or likewise?
A fixed version of Winamp was released even before any of the mainstream media had published their reports. Isn't this rehashing the same?
Winamp 5.12 and older are vulnerable? Wasn't this the point of the original article? What does this have to offer than the same old story when it comes to all software. Upgrade to remove those nasty bugs.
I believe you can find the fixed version here, its been there for a week:
http://www.winamp.com/player/
So this is the sound of the internet crashing? It even comes with a playlist!
The only change I can believe in is what I find in my couch cushions.
Was when that disaster known as Winamp TV came out. Porn site operators found out rather quickly you could incorporate pop-up ads when you connect to their streams. A simple preference change stopped this.
..why there's no screenshots on the website. I just installed the Normal version. Not the prettiest app I've ever seen.
...do we need a clean install, or can we just slap this baby on top of the old one?
As usual something like this immediately conjures up a discussion on whether one should use winamp (with a whole lot of geeks who "used to use it before it got ze bloat").
I just want to point out that I still use it as my primary video and audio player in xp and its fantastic. For a while there I was skeptical about the bloat but its back to its fast operation now.
For audio it is fine, does the job and always has.
For video it is almost as good as VLC. Sometimes it drops the ball and VLC bails me out.
All in all a good product.
This was patched over a week ago, http://www.incidents.org/diary.php?date=2006-01-31 (bottom).h tml
The time from exploit to patch was very fast.
better then the length it takes other software developers to release a patch..
http://www.eeye.com/html/research/upcoming/index.
"I disapprove of what you say, but I will defend to the death your right to say it." - Voltaire
anyone know if this is a 5.x problem? I still use 2.91. couldn't find any reliable info anywhere :(
Winamp 5 is essentially just an updated version of Winamp 2 renamed so that it would have a higher number than the trainwreck that was Winamp 3. There's no reason not to upgrade - all the "bloat" (modern skins, video support, media library, whatever) is an install-time option. Even with all the "bloat", I find that so long as I use a classic skin, its reasonably lightweight. (Modern skins, of course, eat up more CPU/memory).
If you're still using 2.95, you're probably vulnerable to a host of security issues and missing out on a number of useful features (better AAC/mp4 support for one, I believe). I highly reccomend upgrading to 5.13.
Maybe this will get your attention as to why the current methods using the tag are awful. This tag need to be deprecated and replaced with something that allows the user more control. This very same method could also be used to exploit vulnerabilities in WMP as well, so it's not as simple as picking a different application.
The user needs to be able to control the behavior of embedded media regardless of the plug-ins installed. No plug-in should be able to override the user's ability to control how embed tags work. It's abused in all kinds of annoying ways. Ever try to visit a site with an embedded quicktime movie, yet it fails to work on a Mac because the tag points to a Windows application with a specific CSLID? Yeah... Annoying.
What's more is that certain vendors (*cough* Apple *cough*) further encourage this behavior - and thereby purposely put their users at risk - by doing things like burying the actual links to the stream inside a quicktime file that has to be downloaded first.
winamp is still lite, you dont HAVE to install the extra features.
you dont HAVE to install the library,
you dont HAVE to install the modern skin support,
remove those 2 and your practicaly using winamp 2.9 with alot of bug fixes and speedups... so i dont see what all the complaining and whining is about
portfolio
That information would have been useful had WinAmp not told me that version 5.13 was already available. A WEEK AGO!
I don't know what's worse on Slashdot, a dupe, a roland, or old news.
"You'll get nothing, and you'll like it!"
Winamp is now just bloatware. With all the features added to the software, the stability dropped like a rock. I was an avid user until I purchased an iPod and have been using iTunes ever since.
[%] Cingular Ringtones
This has absolutely nothing to do with Sunbelt Computer Systems, their PL/B implementation, or PL/B source files (extension .pls). (Oh, the fun I had keeping WinAmp from opening my source code....)
How exactly does this exploit work? What versions of Winamp are affected and which if any are safe?
Do I have to have Winamp open while surfing to be infected? Do I have to actually use Winamp's viewer to get to the infected file to be infected?
Finally, is there such a thing as a competant journalist? I'm starting to think the abnswer is "no"...
(MRC[?]="onrush")
What kind of lameness is that? This story isn't about the impact on compusavvy tinkering mechanics... its about the impact on the other millions of people who run Windows and don't know shit.
.pls file... and then click to play it... and your WinAmp once again goes to work, then you're fucked. But I guess that shows you are one of the millions of people who...
Your work around sucks, anyway. If you tell the browser to download the
Well, after clicking through to various links to see how this worked, because it isn't clear in this article, I found out this is yet another frikkin javascript exploit. You have to click the link yourself OR just have javascript turned on.
When will people admit that JS is the modern day badguy culprit? Over and over and over again, I don't care what groovy effects you (any of you web devs, talking to YOU) can do with it it's a SECURITY NIGHTMARE. Admit reality! You can't make it secure, if you force your visitors to use JS they will have it turned on all the time, then they go to a bad page and get nailed. How the hell are random surfers supposed to know your pet JS is OK but this other web pages isn't? Huh? You couldn't do it either no matter how leet you think you might be, so why make non coders try to guess? That's what it is, you are forcing people to be psychic in order to surf. It doesn't matter if YOUR page you code is pure as puppies and the driven white snow, you are MAKING your visitors surf insecurely on purpose because you INSIST on them having JS turned on to use your site. Even if they have the various script plugins to ask them, how the hell are they supposed to know BEFORE they click on it? Anti malware software is AFTER THE FACT.
Does anyone know if Winamp 2.91 is vulnerable? Is there anywhere I can download a proof-of-concept to check?
From TFA:
"SpySheriff will display a false warning that the computer is infected with spyware."
Anyone else see the complete irony in that?
While, Winamp was indeed improved between versions 3 and 5, I still prefer the 2.x series and XMMS for their no-nonsense approach to music. After all, its the music we care about. The reasons for winamp's decline are many, but if you watch the developments at Winamp's Nullsoft, it gives you quite a few clues. Winamp's creator Justin Frankel is no longer affiliated with Nullsoft, and if you track the developments leading to his departure, its quite clear why winamp has suffered as well. When Nullsoft was bought by AOL in 1999, big-corporate philosophies took over and the informal nature of Nullsoft was destroyed. Coincident with this was the bloating of a once great media player. C|NET has an article about Nullsoft and Frankel's departure with some good outside references.
And beyond that, start using BSD or Linux rather than Windows.
Uhh yeah; I'll get right on that. Just as soon as the numbers make any sense at all.
start using bsd or linux LOL... yeah... that's cute.
I installed winamp after I elevated my LUA as an admin, on on my profile folder instead on \Program Files\ and then demoted my account. Does this mean that winamp runs now as root? Am I vulnerable?
I just installed the Normal version. Not the prettiest app I've ever seen.
1) It fits in with your current theme, so if you're using the toy Windows XP theme, it's going to look like that.
2) Nobody thinks that's a good answer, so if you want a better-looking foobar you'll need Columns UI (which you get if you downloaded Full) and see the faqs for it. You can get formatting strings here. (Azrael is sexy.)
Guy asked me for a quarter for a cup of coffee. So I bit him.
Winamp is just a backup player for me now. Mostly I use Media Player Classic because it uses AC3Filter to Dolby-Surround decode my MP3s to 5.1.
Arguing about vi versus Emacs is like arguing whether it's better to make fire by rubbing sticks or banging rocks.
Are there more computers running OS X than there are active copies of WinAMP?
If so, why are there currently no OS X viruses yet when we see an active WinAMP exploit?
Food for thought.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
and The good news is~
Feminist Pioneer Betty Friedan Dies.... People online
What WinAmp really needs is to be very small in footprint. Two: every, yes, every function should have a keyboard combination interface.
With a keyboard combination for each function, a remote can be made for the Winamp player. Use a photodiode that decodes the 38KHz signal sent from all TV remotes. Feed this signal into a microcontroller that replicates the WinAmp keyboard combinations according to button pressed on the remote. Plug this microcontroller into the PC in parallel with the keyboard (use TTL gate ICs). Now you can use your PC as a music server with a remote. Now all we need is either a laptop with an external keyboard input or a very quiet-low power consumption desktop PC.
But none of this is possible if the programmers don't put a keypress combination for every function of the program.
Anyone have experience with this: Quintessential Player?
Note that it says you can rip CDs at full speed. WinAmp requires you to pay to do that.
I moved to a player with a good media library years ago. Even if that's not for you, consider something like Foobar2000.
Hands in my pocket
I've recently moved over to java-based jlGui
http://www.javazoom.net/jlgui/jlgui.html
http://sourceforge.net/projects/jlgui/
It's cross-platform, portable, (USB thumb drive, anyone?) and it plays local mp3/ogg files, Shoutcast streams (*.pls), and Winamp playlists (*.m3u)
It's great for running at my work where I have a personal network drive that follows me from PC to PC. I never need to install anything... I just double-click the jar file.
I highly recommend giving it a shot if you're sick of updating Winamp all the time.
Once upon a time, a shitty unsafe little language called C was invented.
Its greatest contribution to history has been buffer overflows, overruns,
desguised as useful applications or OSs...
Our beloved C++ could have mended all that, given us a safer higher
level language to program applications with...
http://en.wikipedia.org/wiki/Buffer_overflow
"C and C++ provide no protection against accessing or overwriting data in any part of memory through invalid
pointers; more specifically, they do not check that data written to an array (the implementation of a buffer)
is within the assumed boundaries of that array."
Either we are ALL morons that can't program decent apps or we are being sabotaged by the languages we use?
How come nobody mentioned VLC or Media Player Classic yet?
How many remote explots for mac classic OS are out there? If someone had file sharing turned off, are you going to own their machine remotely via some exploit? Go ahead, try and list them. All I have ever seen is exploits that run as clients, not as pwned servers. And it's not like there wouldn't have been serious street cred to have come up with the first mac classic exploit, because then all the leet windows and unix guys could have laughed and laughed for years over it. A few viruses, sure, they exist, outright take over exploits? Ha! yuo f4!l it!
The reason why it never happened is because it was incredibly hard to do. Simple as that. coded and designed to be secure and easier to use than what existed at the time, and it worked. Early apple failed at marketing, not at coding.
Say what you want about classic, some is real, bad memory management for instance, but lack of inherent default security wasn't one of them. You just plain ain't hacking a mac classic box unless you are physicaly sitting at the keyboard when the owner isn't looking.
I've recently moved over to a Hummer-based coin-holder and it carries my two quarters when I walk to the box 50 yards down the street to buy a newspaper.
Wow, you pretty much echoed all of my thoughts in elegant form
I actually still use Winamp 2.73. I keep meaning to upgrade to 2.95, but I guess that'll probably happen next time I buy a computer.
I do find the comments others have made about being able to disable/delete in version 5+ the extra useless crap that was added in version 3, and may actually try that. I did stick version 5 on my computer at work, and I definitely appreciate the fact that I can keep my classic skins.
PS - I believe an alpaca is a particular breed of llama. That is, they are all the same species and can interbreed to produce fertile offspring.
Use Winamp v2.0 then.
There is no reason you have to upgrade.
I hate it when people think because a software product was modified, that they are FORCED to use thus said modifications.
You seem to think the old WinAmp was stable, secure, fast and light weight... SO USE IT.
Modesty is one of life's greatest attributes
It works flawlessly. It's teenie-tiny. It's appealing to look at. . .
Am I missing something here. . ? The only reason I ever go for updates on software is in the hope that an annoying design flaw is fixed, or that a much-needed feature will be added. When I finally load something onto my machine which does exactly what I want, I sigh with relief and then move on to other interests.
I'm fairly certain guys like me are not well liked around the headquarters of Commercialism Inc.
Software doesn't crap out after 2 years of use, but I guess with everybody so well programmed into thinking, "Old=Bad", that even when consumers step into the virtual world, they don't need to own products filled with time-bomb parts designed to fail after a set period. People are kind of chumpy this way. As my grampy used to tell me, "Buy it good, buy it once, learn how to fix it yourself."
Of course, that doesn't mean people shouldn't create new things for the sake of play; Playing means seeing what can be done next, what innovation can be whipped up. Playing is fun. But for computer music players, I don't really care. I have music. It plays. Why all the fuss?
People like to fuss.
-FL
Ok I use OS Anonymous, there are more OS Anonymous users then Windows Application XYZ, and no viruses have been made for OS Anonymous(yet). A flaw finaly shows up in Application XYZ, and that is just "food for thought" on how secure and great Anonymous OS is?
Why the Anon post?
The point is that many people claim OS X is not a target for virus writers beccause the numbers are too small. Yet the numbers for Winamp are smaller - so why do we see a virus for Winamp and not for OS X?
The reason it was modded up is not because it says anything about OS X being secure or not. It's an honest question with interesting implications if even lesser used applications on another platform are being used as attack vectors when a whole OS platform itself remains clean. Why?
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Alternatively, you can use Coolplayer, cuz it's as lite as it gets. http://coolplayer.sourceforge.net/ And I agree, Winamp2 used to be the best (music) player....
Per Aspera Ad Astra.
You can use C/C++ to do anything you like.
There are still many times when C/C++ is the best choice, sometimes the only high-level choice for some chips.
Your summary of the languages is frankly ridiculous. You forgot to mention what your reasoning might similarly condemn hand written assembly code as being even more insecure than C, what with JMP #memory_addr, despite _still_ being used with almost every piece of electronics you can buy. You can write bad, insecure code in any language.
If you use a decent toolkit instead of the standard C libraries and you have reasonable time to debug and know how to use the languages properly (e.g. use assert) then you can write stable efficient software which will still run on machines 10 years old with = 64Mb RAM (why should basic computer users upgrade their hardware when they only do email, word processing, web browsing?). A worthwhile tradeoff?
In C++ you can have stuff like array bounds checking with the STL or with a toolkit compiled in debug mode.
Also, you might not like seeing a segfault message but with 'safer' languages you might get no message, even though the program had done something wrong.
With a decent OS, i.e. not running everything with full privileges, application buffer overruns aren't of themselves that bad without bad software design; with system services they typically need/want the extra efficiency that C/C++ can provide.