Zero-day exploit targets Winamp

Millions of Winamp users are vulnerable to a zero-day exploit that could install spyware and Trojans on unsuspecting victims who click on a Web site link.

Millions of Winamp users are vulnerable to a zero-day exploit circulating in the wild for more than a month that could "forcefully install spyware and Trojans on unsuspecting victims who click on a Web site link," according to K-OTik Security. However, experts say that using common sense online eliminates the threat.

"Don't walk though neighborhoods on the Internet you wouldn't walk through in real life, like clicking on gratuitous IRC links," said David Kennedy, director of research services at TruSecure Corp. in Reston, Va.

Though IRC chat networks have been the main infection vector for the "Skinhead" exploit, anyone visiting these malicious Web sites could become infected.

UPDATE

Winamp flaw fixed
Winamp users "must upgrade to Winamp 5.05 immediately" to patch a hole that would allow a zero-day exploit circulating in the wild to "forcefully install spyware and Trojans on unsuspecting victims who click on a Web site link," according to K-OTik Security. Nullsoft has issued a fix for this critical vulnerability affecting Winamp 3.0, 5.0 and 5.0 Pro or newer. IRC chat networks have been the main infection vector, but anyone visiting malicious Web sites hosting the "Skinhead" exploit could become infected. According to Nullsoft, Winamp will now prompt all users with a confirmation window before installing any skins and will now only extract files considered low risk before loading a Winamp skin.

PivX Labs, based in Newport Beach, Calif., said in a statement: "When a user visits a Web site that hosts the Skinhead exploit, their browser is redirected to a compressed Winamp Skin file that has a WSZ file extension but which in reality is a ZIP file. The default installation of Winamp registers the WSZ file extension and includes an EditFlags value with the bitflag 00000100 that instructs Windows and Internet Explorer to automatically open these files when encountered. Because of this EditFlags value, the fake Winamp skin is automatically loaded into Winamp, which in turn opens the skin.xml file inside the WSZ file. This skin.xml file references several include files such as includes.xml, player.xml and player-normal.xml, the latter of which opens an HTML file in Winamp's built-in Web browser. The HTML file that is opened exploit the traditional codebase command execution vulnerability in Internet Explorer to execute calc.exe at which time the user is infected."

Measures to secure the Local Machine zone in Internet Explorer can be found here. A possible workaround may be to change the association on WSZ files from Winamp to null or your Zip program.

The vulnerability has been confirmed on a fully patched system with WinAmp 5.04 using Internet Explorer 6.0 on Microsoft Windows XP SP1. WinAmp 3.x users are also potentially in peril, according to news reports. Winamp users are advised to use an alternative product untill NullSoft issues a patch.

"I doubt this will develop into anything significant from a security perspective," said Aaron Schaub, a security analyst at a public utility company. "It just makes the existing spyware game a little more complex. People keep clicking things they shouldn't. Education is the solution to this one, but that's a problem the security community is still trying to solve."

Read the K-OTik advisory.

Dig deeper on Web Browser Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close