Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spyware Tunnels in on Winamp Flaw

Posted by Hemos on from the hey-now-get-your-upgrade-on dept.

Andy Philips writes "A security bug in Winamp is being exploited by miscreants to install spyware on machines running the media player software. "After surfing to a malicious Web site on our test machines, the file 'x.pls' begins to download, Almost immediately, Winamp starts to execute the play list and remote code execution begins." Sunbelt's Adam Thomas wrote in a posting. The Winamp problem affects version 5.12 of the media player. Earlier versions may also be affected."

6 of 176 comments (clear)

  1. It's that Damn Llama's Fault by eldavojohn · · Score: 4, Interesting

    Once upon a time, I used Winamp.

    And it was good.

    It was fairly lightweight, I could load in huge playlists of college-napster-garbage without slowdown and I knew all the hot keys for searching and what not.

    Then that llama came into the picture. I think it must have been version three or four (I can't remember) when there was a damned llama or alpaca or whatever in a green field. Now, I love llamas and alpacas, don't get me wrong. The problem was that now Winamp was about "graphix" and "features" that were once plugins that I didn't want.

    I don't know why they thought Winamp needed to be able to play videos but it did now. I don't know why they thought Winamp had to show stupid tripping-on-acid-harmonograph visualizations but it did now. I don't know why they thought Winamp had to melt songs together but it did now ... etc.

    On top of that, the memory footprint in Windows was crazy. And my roommate tried to put skins on Winamp that just made my computer shit its gourd. I was disgusted ... the hot keys may have still been there but what I was looking for in a media player was not. For some reason, they seemed to think that competing with Windows Media Player meant mimicking it to every detail. Fine. I never want to touch Windows Media Player, it's about as useful as my appendix. And now I feel the same way about Winamp.

    Now there's a spyware flaw in Winamp. Am I surprised? Not really. They have gotten so complicated that there's probably a thousand holes in that application. They definitely lost site of what I was looking for--a plain jane slim audio player. Winamp's executing a remote method invocation through a playlist that can trigger itself to be automatically loaded and ran? Now that sounds like a "feature" I want my audio player to have.

    Is this the first time this has happened? Nope, remember the zero day exploit that targeted skins in 2004? There's been a myriad of security issues with Winamp since it became more and more complicated.

    "Gee, the way our audio player loads playlists isn't very secure. But it works and the people who use our application aren't interested in security--they're interested in playing AVI files on their audio player!"

    So what would I recommend? Well, if you're using Linux, I can think of at least ten things better but XMMS would probably be my favorite. If you're running Windows, I like to use Quintessential Player which can be modified to be as complicated as new Winamp or can be

    --
    My work here is dung.
    1. Re:It's that Damn Llama's Fault by Robotech_Master · · Score: 3, Interesting

      Can't you get xmms compiled for Windows, too?

      Personally, I use iTunes now, because it just works with my iPod. I could probably use something else, but why bother?

      --
      Editor Emeritus and Senior Writer, TeleRead.org
  2. Re:Move Along by Anonymous Coward · · Score: 1, Interesting

    What happened to the days of patching? I don't know anything about the new version of WinAmp but this exploit vs. upgrade cycle seems to be a vehicle for prodding users to move to the latest edition of the bundled adware/spyware/malware product. So you get it through exploit or you get it through bundling. What's the difference anymore?

  3. That should solve the problem, but... by Anonymous Coward · · Score: 1, Interesting

    ...do we need a clean install, or can we just slap this baby on top of the old one?

  4. Earlier versions may also be affected. by Anonymous Coward · · Score: 1, Interesting
    why so detailed?!

    anyone know if this is a 5.x problem? I still use 2.91. couldn't find any reliable info anywhere :(

  5. Winamp 5 == Winamp 2 by Anonymous Coward · · Score: 4, Interesting

    Winamp 5 is essentially just an updated version of Winamp 2 renamed so that it would have a higher number than the trainwreck that was Winamp 3. There's no reason not to upgrade - all the "bloat" (modern skins, video support, media library, whatever) is an install-time option. Even with all the "bloat", I find that so long as I use a classic skin, its reasonably lightweight. (Modern skins, of course, eat up more CPU/memory).

    If you're still using 2.95, you're probably vulnerable to a host of security issues and missing out on a number of useful features (better AAC/mp4 support for one, I believe). I highly reccomend upgrading to 5.13.