Slashdot Mirror
Spyware Tunnels in on Winamp Flaw
Andy Philips writes "A security bug in Winamp is being exploited by miscreants to install spyware on machines running the media player software.
"After surfing to a malicious Web site on our test machines, the file 'x.pls' begins to download, Almost immediately, Winamp starts to execute the play list and remote code execution begins." Sunbelt's Adam Thomas wrote in a posting. The Winamp problem affects version 5.12 of the media player. Earlier versions may also be affected."
Link to WinAmp Free Player.
I know you will all correct me if I'm wrong, but if you don't have the .pls as a trigger for Winamp as a plugin, you're not vulnerable. Just set your browser to do something else with .pls (like offer to download). Or trash the file type association or set it for something other than Winamp.
Or if you're a luddite like me and can't stand plugins, prevent them all from working by commenting out the plugins lines in:
C:\Program Files\Common Files\mozilla.org\GRE\ [version here] \greprefs\all.js
This is assuming you use Mz or FF for web on Windows like a sensible person.
As usual, nothing to see here...
From ZDNet Asia: The flaw was disclosed on Monday, when Winamp maker Nullsoft, a division of America Online, released an update to fix it. The company posted version 5.13 of Winamp, while Secunia and other security companies issued alerts about the problem. Secunia rated the issue "extremely critical," its highest rating.
Flaw detected and removed. New version of Winamp out. Get the new version. Protected. Not much more difficult than that. Shouldn't there a be a "Software Vulnerabilties" section to Slashdot, where these things could be posted?
GetOuttaMySpace - The Anti-Social Network
A legal solution to a technical problem will never work. The involvement of politicians likely won't lead to secure consumer-grade software.
The best thing to do is to use technologies that encourage secure programming. We're talking about garbage collected languages, for instance, that reduce the risks of buffer overflows. And beyond that, start using BSD or Linux rather than Windows. Of course the list goes on and on.
Cyric Zndovzny at your service.
Just for the record, Quinnware stopped the dev on the simple QCD player and started a bloated winamp 5 copy called Quintessential Media Player. Guess I'll be staying with the good old QCD 4.51 player for a long time.
A small plug for the greatest MP3 player in existance, Foobar2000
It's so awesomely customisable, it hurts.
The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
While there isn't a Linux port of foobar 2000 yet, I've found Quod Libet to be a close-enough replacement for those of us who have gotten tired of whiz-bang graphics. Though mostly, I switched from xmms for the UTF-8 support (hey, that's the reason I switched from winamp too ;)
It should be noted that no application is secure enough (except some 'Hello World!' implementations). It's not unusual that one should get hotfixes, service packs, etc. to keep ones system (relatively) secure against crackers. If you like winamp get the update and relax. As other folks said you may use other applications, mplayer is my favourite one. Of course I run it on Linux.
Was when that disaster known as Winamp TV came out. Porn site operators found out rather quickly you could incorporate pop-up ads when you connect to their streams. A simple preference change stopped this.
It supports virtually all posible audio codecs, and sound quality is much better
From foobar2000.org:
Does foobar2000 sound better than other players?
No. Most of "sound quality differences" people "hear" are placebo effect (at least with real music), as actual differences in produced sound data are below their noise floor (1 or 2 last bits in 16bit samples). Foobar2000 has sound processing features such as software resampling or 24bit output on new high-end soundcards, but most of other mainstream players are capable of doing the same by now.
This was patched over a week ago, http://www.incidents.org/diary.php?date=2006-01-31 (bottom).h tml
The time from exploit to patch was very fast.
better then the length it takes other software developers to release a patch..
http://www.eeye.com/html/research/upcoming/index.
"I disapprove of what you say, but I will defend to the death your right to say it." - Voltaire
winamp is still lite, you dont HAVE to install the extra features.
you dont HAVE to install the library,
you dont HAVE to install the modern skin support,
remove those 2 and your practicaly using winamp 2.9 with alot of bug fixes and speedups... so i dont see what all the complaining and whining is about
portfolio
I agree that Winamp 2 used to be great and Winamp 3 was horribly bloated. But what you really want to do is run the latest Winamp 5 with either the tiny Lite version, or the full version without modern skins. It has the same small memory footprint as Winamp 2... The only advantage of using Winamp 5 is that some of the recently discovered security holes have probably actually been in there the whole time and you might be putting yourself at risk if you run a really old version.
Homme petit d'homme petit, s'attend, n'avale
So what would I recommend? Well, if you're using Linux, I can think of at least ten things better
That page is old: "Last Updated 8 Apr 2000" and some of the links are broken.
Wikipedia has a nice media player comparison with an "Operating system support" table showing which ones run on Linux.
That information would have been useful had WinAmp not told me that version 5.13 was already available. A WEEK AGO!
I don't know what's worse on Slashdot, a dupe, a roland, or old news.
"You'll get nothing, and you'll like it!"
For all those interested here is the link: Quintessential Player
One can say the same about Winamp.
I just installed the Normal version. Not the prettiest app I've ever seen.
1) It fits in with your current theme, so if you're using the toy Windows XP theme, it's going to look like that.
2) Nobody thinks that's a good answer, so if you want a better-looking foobar you'll need Columns UI (which you get if you downloaded Full) and see the faqs for it. You can get formatting strings here. (Azrael is sexy.)
Guy asked me for a quarter for a cup of coffee. So I bit him.