January 30, 2006 9:28 AM PST

Serious Winamp flaw gets fix

Nullsoft has released an update to Winamp to fix a serious security vulnerability that opened up systems to remote attack.

The company posted version 5.13 of the media player online on Monday after Secunia and other security companies issued alerts about the problem. Malicious software exploiting the "extremely critical" flaw was already circulating on the Internet, according to Secunia's advisory.

The security hole, found in the latest version of Winamp 5.12, could lead to malicious attackers taking remote control of a Winamp user's system. Earlier versions of the media player may also be affected, Secunia said.

Even though the security company gave the vulnerability its highest rating for software threats, it noted that the number of people who use Winamp has declined over the years, so the scope of the problem is not as large as it once might have been.

"Winamp used to be the world's most popular MP3 player and is still quite popular, but as Windows Media Player has gotten better, some users have migrated over," said Thomas Kristensen, Secunia's chief technology officer.

The vulnerability could be exploited when a Winamp user visits a malicious Web site and a tainted media file is launched onto the person's system. A buffer overflow is triggered, which allows the attacker to take control of the computer without being constrained by security measures, Kristensen noted.

"We aren't aware of any systems that have been compromised yet, but it's likely to happen since there's exploit code out," Kristensen said.

Nullsoft, a division of America Online, is urging people to download the updated media player from the Winamp Web site. "Users attempting to launch the v. 5.12 player will be prompted with a pop-up message alerting them to upgrade to the secure Winamp v 5.13," AOL said.

The vulnerability, initially discovered by Atmaca, is not the first to be found in the Winamp software. In late 2004, a highly critical flaw was found in the playlist files for the Winamp player.


Join the conversation!
Add your comment
There they go again hogging all the headlines. First they stop
supporting the Mac platform with Windows Media Player and it has
a security problem immediately. MicroSoft sucks up all the glory
and now they have done it again a week or two later.

MicroSoft will do anything for headlines.
Posted by (12 comments )
Reply Link Flag
Nice effort
but Winamp is not a Microsoft product.
Posted by Charleston Charge (362 comments )
Link Flag
Fix available.
<a class="jive-link-external" href="http://forums.winamp.com/showthread.php?threadid=236740" target="_newWindow">http://forums.winamp.com/showthread.php?threadid=236740</a>
Posted by katamari (310 comments )
Reply Link Flag
Winamp losses not just due to WMP
I hate to break it to people, but Winamp hasn't just declined in popularity due to WMP. For me and a fair number of others, it is because the new versions are just more bloated and are made to try to get you to buy a better version! I still use pre-3.0 versions of Winamp.
Posted by ddesy (4336 comments )
Reply Link Flag
What Else Is New
AOL did for Winamp what it did for ICQ.

Four words.

"Destroyed a great product."
Posted by cnetnews (4 comments )
Link Flag
its just like the jpg hole...........
my hunch is that all major streaming platforms are severly affected. weird packets can cause buffer overflows.... and open acceess to the gui framworks... GTK in particular I think...
and not only is your work stolen but your brain is washed as well.... anyone listen to the voice-overs lately on frisky and proton?!?

the max headroom 1984 theme has got to stop!
Posted by freq (121 comments )
Reply Link Flag
Fix Is Now Available
New fixed version 5.13 has been released now and you can download it from the winamp.com web site.
Posted by annanemas (79 comments )
Reply Link Flag
I'll just do that if I ever decide to use or even try WinAmp.
Posted by Earl Benser (4310 comments )
Link Flag
That creative approach to original <a href=http://www.watchessell.com/product.php?id=26&categories_id=36>patek philippe</a> score was patek philippe representative of Mechanic/Shankman's most artful improvement: <a href=http://www.watchessell.com/product.php?id=28&categories_id=36>chopard watch</a> enlivening obscure chopard watch categories in ways that made viewers appreciate <a href=http://www.watchessell.com/product.php?id=28&categories_id=36>chopard watches</a> a craft they chopard watches probably didn't understand. Such snoozers as <a href=http://www.watchessell.com/product.php?id=28&categories_id=36>chopard</a> short film chopard and sound editing came appended with brief segments featuring compelling <a href=http://www.watchessell.com/product.php?id=29&categories_id=36>u boat watch</a> explanations u boat watch from the likes of Taylor Hackford and Morgan Freeman.
Posted by replica-watches (1 comment )
Reply Link Flag
very nice <a href=http://www.nashikpackersmovers.com></a>
<a href=http://www.punepackersandmovers.com></a
Posted by shankarjoshi (2 comments )
Reply Link Flag
very nice http://www.nashikpackersmovers.com
Posted by shankarjoshi (2 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.