Serious Winamp flaw gets fix

Nullsoft has released an update to Winamp to fix a serious security vulnerability that opened up systems to remote attack.

The company posted version 5.13 of the media player online on Monday after Secunia and other security companies issued alerts about the problem. Malicious software exploiting the "extremely critical" flaw was already circulating on the Internet, according to Secunia's advisory.

The security hole, found in the latest version of Winamp 5.12, could lead to malicious attackers taking remote control of a Winamp user's system. Earlier versions of the media player may also be affected, Secunia said.

Even though the security company gave the vulnerability its highest rating for software threats, it noted that the number of people who use Winamp has declined over the years, so the scope of the problem is not as large as it once might have been.

"Winamp used to be the world's most popular MP3 player and is still quite popular, but as Windows Media Player has gotten better, some users have migrated over," said Thomas Kristensen, Secunia's chief technology officer.

The vulnerability could be exploited when a Winamp user visits a malicious Web site and a tainted media file is launched onto the person's system. A buffer overflow is triggered, which allows the attacker to take control of the computer without being constrained by security measures, Kristensen noted.

"We aren't aware of any systems that have been compromised yet, but it's likely to happen since there's exploit code out," Kristensen said.

Nullsoft, a division of America Online, is urging people to download the updated media player from the Winamp Web site. "Users attempting to launch the v. 5.12 player will be prompted with a pop-up message alerting them to upgrade to the secure Winamp v 5.13," AOL said.

The vulnerability, initially discovered by Atmaca, is not the first to be found in the Winamp software. In late 2004, a highly critical flaw was found in the playlist files for the Winamp player.

Damn...

There they go again hogging all the headlines. First they stop
supporting the Mac platform with Windows Media Player and it has
a security problem immediately. MicroSoft sucks up all the glory
and now they have done it again a week or two later.

MicroSoft will do anything for headlines.

[Charleston Charge]

Nice effort

but Winamp is not a Microsoft product.

[katamari]

Fix available.

http://forums.winamp.com/showthread.php?threadid=236740

[ddesy]

Winamp losses not just due to WMP

I hate to break it to people, but Winamp hasn't just declined in popularity due to WMP. For me and a fair number of others, it is because the new versions are just more bloated and are made to try to get you to buy a better version! I still use pre-3.0 versions of Winamp.

[cnetnews]

What Else Is New

AOL did for Winamp what it did for ICQ.

Four words.

"Destroyed a great product."

[freq]

its just like the jpg hole...........

my hunch is that all major streaming platforms are severly affected. weird packets can cause buffer overflows.... and open acceess to the gui framworks... GTK in particular I think...
and not only is your work stolen but your brain is washed as well.... anyone listen to the voice-overs lately on frisky and proton?!?

the max headroom 1984 theme has got to stop!

[annanemas]

Fix Is Now Available

New fixed version 5.13 has been released now and you can download it from the winamp.com web site.

[Earl Benser]

Fine....

I'll just do that if I ever decide to use or even try WinAmp.