Slashdot Mirror
Spyware Tunnels in on Winamp Flaw
Andy Philips writes "A security bug in Winamp is being exploited by miscreants to install spyware on machines running the media player software.
"After surfing to a malicious Web site on our test machines, the file 'x.pls' begins to download, Almost immediately, Winamp starts to execute the play list and remote code execution begins." Sunbelt's Adam Thomas wrote in a posting. The Winamp problem affects version 5.12 of the media player. Earlier versions may also be affected."
Once upon a time, I used Winamp.
... etc.
... the hot keys may have still been there but what I was looking for in a media player was not. For some reason, they seemed to think that competing with Windows Media Player meant mimicking it to every detail. Fine. I never want to touch Windows Media Player, it's about as useful as my appendix. And now I feel the same way about Winamp.
And it was good.
It was fairly lightweight, I could load in huge playlists of college-napster-garbage without slowdown and I knew all the hot keys for searching and what not.
Then that llama came into the picture. I think it must have been version three or four (I can't remember) when there was a damned llama or alpaca or whatever in a green field. Now, I love llamas and alpacas, don't get me wrong. The problem was that now Winamp was about "graphix" and "features" that were once plugins that I didn't want.
I don't know why they thought Winamp needed to be able to play videos but it did now. I don't know why they thought Winamp had to show stupid tripping-on-acid-harmonograph visualizations but it did now. I don't know why they thought Winamp had to melt songs together but it did now
On top of that, the memory footprint in Windows was crazy. And my roommate tried to put skins on Winamp that just made my computer shit its gourd. I was disgusted
Now there's a spyware flaw in Winamp. Am I surprised? Not really. They have gotten so complicated that there's probably a thousand holes in that application. They definitely lost site of what I was looking for--a plain jane slim audio player. Winamp's executing a remote method invocation through a playlist that can trigger itself to be automatically loaded and ran? Now that sounds like a "feature" I want my audio player to have.
Is this the first time this has happened? Nope, remember the zero day exploit that targeted skins in 2004? There's been a myriad of security issues with Winamp since it became more and more complicated.
"Gee, the way our audio player loads playlists isn't very secure. But it works and the people who use our application aren't interested in security--they're interested in playing AVI files on their audio player!"
So what would I recommend? Well, if you're using Linux, I can think of at least ten things better but XMMS would probably be my favorite. If you're running Windows, I like to use Quintessential Player which can be modified to be as complicated as new Winamp or can be
My work here is dung.
I was wondering why my mp3-collection was suddenly trying to sell me penis-lengthening pills!
...whips your computer's ass, as well as the llama's.
Editor Emeritus and Senior Writer, TeleRead.org
Link to WinAmp Free Player.
Because there is nothing wrong with fucking up your own computer.
There is nothing wrong with telling people how to fuck up their computers as well.
There is however something wrong if you use these tools to automatically fuck up other peoples computers.
liqbase
I know you will all correct me if I'm wrong, but if you don't have the .pls as a trigger for Winamp as a plugin, you're not vulnerable. Just set your browser to do something else with .pls (like offer to download). Or trash the file type association or set it for something other than Winamp.
Or if you're a luddite like me and can't stand plugins, prevent them all from working by commenting out the plugins lines in:
C:\Program Files\Common Files\mozilla.org\GRE\ [version here] \greprefs\all.js
This is assuming you use Mz or FF for web on Windows like a sensible person.
As usual, nothing to see here...
From ZDNet Asia: The flaw was disclosed on Monday, when Winamp maker Nullsoft, a division of America Online, released an update to fix it. The company posted version 5.13 of Winamp, while Secunia and other security companies issued alerts about the problem. Secunia rated the issue "extremely critical," its highest rating.
Flaw detected and removed. New version of Winamp out. Get the new version. Protected. Not much more difficult than that. Shouldn't there a be a "Software Vulnerabilties" section to Slashdot, where these things could be posted?
GetOuttaMySpace - The Anti-Social Network
A legal solution to a technical problem will never work. The involvement of politicians likely won't lead to secure consumer-grade software.
The best thing to do is to use technologies that encourage secure programming. We're talking about garbage collected languages, for instance, that reduce the risks of buffer overflows. And beyond that, start using BSD or Linux rather than Windows. Of course the list goes on and on.
Cyric Zndovzny at your service.
A small plug for the greatest MP3 player in existance, Foobar2000
It's so awesomely customisable, it hurts.
The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
Woah, they even got the might dot! My quip down the bottom was System going down in 5 minutes.
Nice work!
Sendmail is like emacs: A nice operating system, but missing an editor and a MTA.
It should be noted that no application is secure enough (except some 'Hello World!' implementations). It's not unusual that one should get hotfixes, service packs, etc. to keep ones system (relatively) secure against crackers. If you like winamp get the update and relax. As other folks said you may use other applications, mplayer is my favourite one. Of course I run it on Linux.
Isn't this like reporting on something exploiting an old bug in xmms or likewise?
A fixed version of Winamp was released even before any of the mainstream media had published their reports. Isn't this rehashing the same?
Winamp 5.12 and older are vulnerable? Wasn't this the point of the original article? What does this have to offer than the same old story when it comes to all software. Upgrade to remove those nasty bugs.
I believe you can find the fixed version here, its been there for a week:
http://www.winamp.com/player/
So this is the sound of the internet crashing? It even comes with a playlist!
The only change I can believe in is what I find in my couch cushions.
Was when that disaster known as Winamp TV came out. Porn site operators found out rather quickly you could incorporate pop-up ads when you connect to their streams. A simple preference change stopped this.
...do we need a clean install, or can we just slap this baby on top of the old one?
This was patched over a week ago, http://www.incidents.org/diary.php?date=2006-01-31 (bottom).h tml
The time from exploit to patch was very fast.
better then the length it takes other software developers to release a patch..
http://www.eeye.com/html/research/upcoming/index.
"I disapprove of what you say, but I will defend to the death your right to say it." - Voltaire
anyone know if this is a 5.x problem? I still use 2.91. couldn't find any reliable info anywhere :(
Winamp 5 is essentially just an updated version of Winamp 2 renamed so that it would have a higher number than the trainwreck that was Winamp 3. There's no reason not to upgrade - all the "bloat" (modern skins, video support, media library, whatever) is an install-time option. Even with all the "bloat", I find that so long as I use a classic skin, its reasonably lightweight. (Modern skins, of course, eat up more CPU/memory).
If you're still using 2.95, you're probably vulnerable to a host of security issues and missing out on a number of useful features (better AAC/mp4 support for one, I believe). I highly reccomend upgrading to 5.13.
winamp is still lite, you dont HAVE to install the extra features.
you dont HAVE to install the library,
you dont HAVE to install the modern skin support,
remove those 2 and your practicaly using winamp 2.9 with alot of bug fixes and speedups... so i dont see what all the complaining and whining is about
portfolio
http://img141.imageshack.us/img141/7189/poobar4ks. png
how pretty does it need to be?
The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
That information would have been useful had WinAmp not told me that version 5.13 was already available. A WEEK AGO!
I don't know what's worse on Slashdot, a dupe, a roland, or old news.
"You'll get nothing, and you'll like it!"
Winamp is now just bloatware. With all the features added to the software, the stability dropped like a rock. I was an avid user until I purchased an iPod and have been using iTunes ever since.
[%] Cingular Ringtones
This has absolutely nothing to do with Sunbelt Computer Systems, their PL/B implementation, or PL/B source files (extension .pls). (Oh, the fun I had keeping WinAmp from opening my source code....)
of the browsers having this enabled, the "solution" is a non-issue.
The people I've set up who care about safer browsing have accepted my turning off
Javascript in IE6 and leaving it on with Firefox. They are free to choose whichever.
And if a webpage cannot display with either client -- they don't need to got there.
While, Winamp was indeed improved between versions 3 and 5, I still prefer the 2.x series and XMMS for their no-nonsense approach to music. After all, its the music we care about. The reasons for winamp's decline are many, but if you watch the developments at Winamp's Nullsoft, it gives you quite a few clues. Winamp's creator Justin Frankel is no longer affiliated with Nullsoft, and if you track the developments leading to his departure, its quite clear why winamp has suffered as well. When Nullsoft was bought by AOL in 1999, big-corporate philosophies took over and the informal nature of Nullsoft was destroyed. Coincident with this was the bloating of a once great media player. C|NET has an article about Nullsoft and Frankel's departure with some good outside references.
I installed winamp after I elevated my LUA as an admin, on on my profile folder instead on \Program Files\ and then demoted my account. Does this mean that winamp runs now as root? Am I vulnerable?
I just installed the Normal version. Not the prettiest app I've ever seen.
1) It fits in with your current theme, so if you're using the toy Windows XP theme, it's going to look like that.
2) Nobody thinks that's a good answer, so if you want a better-looking foobar you'll need Columns UI (which you get if you downloaded Full) and see the faqs for it. You can get formatting strings here. (Azrael is sexy.)
Guy asked me for a quarter for a cup of coffee. So I bit him.
My install doesn't look anywhere near as nice as that. So how did you get yours to look like that?
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
Winamp is just a backup player for me now. Mostly I use Media Player Classic because it uses AC3Filter to Dolby-Surround decode my MP3s to 5.1.
Arguing about vi versus Emacs is like arguing whether it's better to make fire by rubbing sticks or banging rocks.
Are there more computers running OS X than there are active copies of WinAMP?
If so, why are there currently no OS X viruses yet when we see an active WinAMP exploit?
Food for thought.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I prefer my install to have the plain look. It's hidden by other windows or minimized most of the time anyway.
I like it for the very low CPU usage and memory footprint. It easily displays 10,000 tunes on my old P3 450mhz. I reckon an old 233mhz would cope fine with it too.
The customisable, RegEx style playlist display formats are also great (if a little complex).
If you need an MP3 player, that also plays every other type of audio format under the sun, then get Foobar2000. An audio player that just plays audio well.
This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
What WinAmp really needs is to be very small in footprint. Two: every, yes, every function should have a keyboard combination interface.
With a keyboard combination for each function, a remote can be made for the Winamp player. Use a photodiode that decodes the 38KHz signal sent from all TV remotes. Feed this signal into a microcontroller that replicates the WinAmp keyboard combinations according to button pressed on the remote. Plug this microcontroller into the PC in parallel with the keyboard (use TTL gate ICs). Now you can use your PC as a music server with a remote. Now all we need is either a laptop with an external keyboard input or a very quiet-low power consumption desktop PC.
But none of this is possible if the programmers don't put a keypress combination for every function of the program.
Anyone have experience with this: Quintessential Player?
Note that it says you can rip CDs at full speed. WinAmp requires you to pay to do that.
I moved to a player with a good media library years ago. Even if that's not for you, consider something like Foobar2000.
Hands in my pocket
Once upon a time, a shitty unsafe little language called C was invented.
Its greatest contribution to history has been buffer overflows, overruns,
desguised as useful applications or OSs...
Our beloved C++ could have mended all that, given us a safer higher
level language to program applications with...
http://en.wikipedia.org/wiki/Buffer_overflow
"C and C++ provide no protection against accessing or overwriting data in any part of memory through invalid
pointers; more specifically, they do not check that data written to an array (the implementation of a buffer)
is within the assumed boundaries of that array."
Either we are ALL morons that can't program decent apps or we are being sabotaged by the languages we use?
How come nobody mentioned VLC or Media Player Classic yet?
Wow, you pretty much echoed all of my thoughts in elegant form
I actually still use Winamp 2.73. I keep meaning to upgrade to 2.95, but I guess that'll probably happen next time I buy a computer.
I do find the comments others have made about being able to disable/delete in version 5+ the extra useless crap that was added in version 3, and may actually try that. I did stick version 5 on my computer at work, and I definitely appreciate the fact that I can keep my classic skins.
PS - I believe an alpaca is a particular breed of llama. That is, they are all the same species and can interbreed to produce fertile offspring.
Use Winamp v2.0 then.
There is no reason you have to upgrade.
I hate it when people think because a software product was modified, that they are FORCED to use thus said modifications.
You seem to think the old WinAmp was stable, secure, fast and light weight... SO USE IT.
Modesty is one of life's greatest attributes
It works flawlessly. It's teenie-tiny. It's appealing to look at. . .
Am I missing something here. . ? The only reason I ever go for updates on software is in the hope that an annoying design flaw is fixed, or that a much-needed feature will be added. When I finally load something onto my machine which does exactly what I want, I sigh with relief and then move on to other interests.
I'm fairly certain guys like me are not well liked around the headquarters of Commercialism Inc.
Software doesn't crap out after 2 years of use, but I guess with everybody so well programmed into thinking, "Old=Bad", that even when consumers step into the virtual world, they don't need to own products filled with time-bomb parts designed to fail after a set period. People are kind of chumpy this way. As my grampy used to tell me, "Buy it good, buy it once, learn how to fix it yourself."
Of course, that doesn't mean people shouldn't create new things for the sake of play; Playing means seeing what can be done next, what innovation can be whipped up. Playing is fun. But for computer music players, I don't really care. I have music. It plays. Why all the fuss?
People like to fuss.
-FL
Ok I use OS Anonymous, there are more OS Anonymous users then Windows Application XYZ, and no viruses have been made for OS Anonymous(yet). A flaw finaly shows up in Application XYZ, and that is just "food for thought" on how secure and great Anonymous OS is?
Why the Anon post?
The point is that many people claim OS X is not a target for virus writers beccause the numbers are too small. Yet the numbers for Winamp are smaller - so why do we see a virus for Winamp and not for OS X?
The reason it was modded up is not because it says anything about OS X being secure or not. It's an honest question with interesting implications if even lesser used applications on another platform are being used as attack vectors when a whole OS platform itself remains clean. Why?
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Alternatively, you can use Coolplayer, cuz it's as lite as it gets. http://coolplayer.sourceforge.net/ And I agree, Winamp2 used to be the best (music) player....
Per Aspera Ad Astra.
You can use C/C++ to do anything you like.
There are still many times when C/C++ is the best choice, sometimes the only high-level choice for some chips.
Your summary of the languages is frankly ridiculous. You forgot to mention what your reasoning might similarly condemn hand written assembly code as being even more insecure than C, what with JMP #memory_addr, despite _still_ being used with almost every piece of electronics you can buy. You can write bad, insecure code in any language.
If you use a decent toolkit instead of the standard C libraries and you have reasonable time to debug and know how to use the languages properly (e.g. use assert) then you can write stable efficient software which will still run on machines 10 years old with = 64Mb RAM (why should basic computer users upgrade their hardware when they only do email, word processing, web browsing?). A worthwhile tradeoff?
In C++ you can have stuff like array bounds checking with the STL or with a toolkit compiled in debug mode.
Also, you might not like seeing a segfault message but with 'safer' languages you might get no message, even though the program had done something wrong.
With a decent OS, i.e. not running everything with full privileges, application buffer overruns aren't of themselves that bad without bad software design; with system services they typically need/want the extra efficiency that C/C++ can provide.