Slashdot Mirror
Spyware Tunnels in on Winamp Flaw
Andy Philips writes "A security bug in Winamp is being exploited by miscreants to install spyware on machines running the media player software.
"After surfing to a malicious Web site on our test machines, the file 'x.pls' begins to download, Almost immediately, Winamp starts to execute the play list and remote code execution begins." Sunbelt's Adam Thomas wrote in a posting. The Winamp problem affects version 5.12 of the media player. Earlier versions may also be affected."
I used winamp too - until i found foobar2000
It supports virtually all posible audio codecs, and sound quality is much better
Because there is nothing wrong with fucking up your own computer.
There is nothing wrong with telling people how to fuck up their computers as well.
There is however something wrong if you use these tools to automatically fuck up other peoples computers.
liqbase
For starters, you can go to www.oldversion.com and get winamp 2.95 along with a bunch of other versions. The train wreck that was winamp3 was also mostly corrected when they went to winamp5, and if you see from (http://www.winamp.com/player/free.php) there's a "lite" version that weighs in at 0.85MB, and which supports mp3, wav, ogg, au, midi, cda, aac, etc. Since it doesn't support modern skins, I would suspect that it's probably just a rehash of 2.9x
I don't use the video features of Winamp. They were present in 2.95, but they weren't bloated yet. And I don't think it was a grab at the windows media player headspace. It really seemed like they just tacked it on because it wasn't hard to do. I think it uses the windows renderer and codecs anyway, just without all the crap in WMP.
Anyway, yeah, I still use 2.95 of winamp, just like I still use instant messanger 4.8. I'm open to change; I'm just not going to "upgrade" to a bloated product. What is it with software these days, anyway? Every piece of software tries to be everything to everyone. Ugh.
~Will
sig?
Isn't this like reporting on something exploiting an old bug in xmms or likewise?
A fixed version of Winamp was released even before any of the mainstream media had published their reports. Isn't this rehashing the same?
Winamp 5.12 and older are vulnerable? Wasn't this the point of the original article? What does this have to offer than the same old story when it comes to all software. Upgrade to remove those nasty bugs.
I believe you can find the fixed version here, its been there for a week:
http://www.winamp.com/player/
Did they code all their own codecs? Or do they use the standard codecs? Either way, I don't know how which application you use has any bearing on the sound quality. You can't make a badly encoded MP3 sound good.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Approximately a week ago I started Winamp and instantly received a message that there was a new version available. What to do? Upgrade! Problem solved. I still don't get what the big deal is about this "news" other than the usual Windows bashing from Slashdot.
Well, it's not just Winamp. Seems no one can get this format correct. Even iTunes had a problem http://lists.apple.com/archives/security-announce/ 2005/Jan/msg00000.html although whether it was actually exploitable or not is something else.
The grandparent poster's suggestion was assuming the user had Windows because the discussion is about fucking WINAMP, a WINDOWS program. I'd say anyone using Windows who was sensible would indeed use Firefox (or Opera), as the GP said.
You don't need to jump on every comment that mentions Windows and promote Linux in such a zealous/inflammatory fashion, especially when the comment about Windows was helpful and was promoting OSS like Firefox.
WHO NEEDS SHIFT WHEN YOU HAVE CAPSLOCK/ DAMN1
Are there more computers running OS X than there are active copies of WinAMP?
If so, why are there currently no OS X viruses yet when we see an active WinAMP exploit?
Food for thought.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Once upon a time, a shitty unsafe little language called C was invented.
Its greatest contribution to history has been buffer overflows, overruns,
desguised as useful applications or OSs...
Our beloved C++ could have mended all that, given us a safer higher
level language to program applications with...
http://en.wikipedia.org/wiki/Buffer_overflow
"C and C++ provide no protection against accessing or overwriting data in any part of memory through invalid
pointers; more specifically, they do not check that data written to an array (the implementation of a buffer)
is within the assumed boundaries of that array."
Either we are ALL morons that can't program decent apps or we are being sabotaged by the languages we use?