Security pros warn of 'critical' Winamp bug

Computerworld - Security companies today warned Winamp users that the music player application has a bug that could give attackers the means to hijack PCs.

According to Danish vulnerability tracker Secunia and eEye Digital Security of California, the Winamp 5.34 plug-in that decodes MP4 files is flawed. If a specially crafted MP4 file is fed to the player, an attacker could compromise the machine and execute his own malicious code remotely.

Secunia rated the bug as "highly critical," its second-most-dire level in a five-step scoring system; eEye simply dubbed it as a "high" risk.

"A media player remote code execution vulnerability has a very high impact since the source of the malicious payload can be any site on the Internet," said eEye's alert. "An even more critical problem is generated when clients are administrators on their local hosts, which would run the malicious payload with administrator credentials."

Windows XP users, for example, typically run the operating system using an administrator account.

One bright spot, said eEye, was that because Winamp does not open MP4 files embedded in a Web site, attackers would have to dupe users into launching the malicious file. The most likely delivery vehicles: MP4 files attached to e-mail messages or a link to a site from which the file could be downloaded. "This could add a level of suspicion to the exploit delivery, but since music sharing is such a common activity, the suspicious activity might be dismissed by the user," said eEye.

With a patch yet to come from Nullsoft Inc., eEye recommended that users disassociate the .mp4 extension from Winamp by choosing Options/Preferences, then General Preferences/File Types and deselecting MP4.