Millions of Winamp users are vulnerable to a zero-day exploit circulating in the wild for more than a month that could "forcefully install spyware and Trojans on unsuspecting victims who click on a Web site link," according to K-OTik Security. However, experts say that using common sense online eliminates the threat.
"Don't walk though neighborhoods on the Internet you wouldn't walk through in real life, like clicking on gratuitous IRC links," said David Kennedy, director of research services at TruSecure Corp. in Reston, Va.
Though IRC chat networks have been the main infection vector for the "Skinhead" exploit, anyone visiting these malicious Web sites could become infected.
PivX Labs, based in Newport Beach, Calif., said in a statement: "When a user visits a Web site that hosts the Skinhead exploit, their browser is redirected to a compressed Winamp Skin file that has a WSZ file extension but which in reality is a ZIP file. The default installation of Winamp registers the WSZ file extension and includes an EditFlags value with the bitflag 00000100 that instructs Windows and Internet Explorer to automatically open these files when encountered. Because of this EditFlags value, the fake Winamp skin is automatically loaded into Winamp, which in turn opens the skin.xml file inside the WSZ file. This skin.xml file references several include files such as includes.xml, player.xml and player-normal.xml, the latter of which opens an HTML file in Winamp's built-in Web browser. The HTML file that is opened exploit the traditional codebase command execution vulnerability in Internet Explorer to execute calc.exe at which time the user is infected."
Measures to secure the Local Machine zone in Internet Explorer can be found here. A possible workaround may be to change the association on WSZ files from Winamp to null or your Zip program.
The vulnerability has been confirmed on a fully patched system with WinAmp 5.04 using Internet Explorer 6.0 on Microsoft Windows XP SP1. WinAmp 3.x users are also potentially in peril, according to news reports. Winamp users are advised to use an alternative product untill NullSoft issues a patch.
"I doubt this will develop into anything significant from a security perspective," said Aaron Schaub, a security analyst at a public utility company. "It just makes the existing spyware game a little more complex. People keep clicking things they shouldn't. Education is the solution to this one, but that's a problem the security community is still trying to solve."