Beware that WinAmp skin

Internetnews.com ^ | August 26, 2004 | Ryan Naraine

[JoJo Gunn]

Beware That WinAmp Skin
By Ryan Naraine
August 26, 2004

The popular skinning feature in Nullsoft's WinAmp media player has left the door wide open for malicious attackers to hijack PCs.

Security researchers at K-Otik discovered the vulnerability and released details of a "Skinhead" zero-day exploit that is already spreading in the wild. The exploit, which targets WinAmp versions 3.x and 5.x, is being used to forcefully install spyware and Trojans on infected systems.

Secunia has tagged the flaw as "extremely critical," its highest rating.

WinAmp skins have a huge following because they allow users to adopt colorful, customizable and interchangeable sets of graphics that change the look and feel of the software.

According to an advisory from Secunia, the problem is caused due to insufficient restrictions on WinAmp skin zip files (.wsz). It means a malicious Web site could use a specially crafted WinAmp skin to place and execute arbitrary programs.

With Microsoft's (Quote, Chart) Internet Explorer browser, this can be done without user interaction.

Analysis of the zero-day exploit shows that attackers are using an XML document in the WinAmp skin zip file to reference a HTML document using the "browser" tag and get it to run in the "Local computer zone". "This can be exploited to run an executable program embedded in the WinAmp skin file using the "object" tag and the "codebase" attribute," Secunia explained.

The vulnerability has been confirmed on a fully patched system with WinAmp 5.04 using Internet Explorer 6.0 on Microsoft Windows XP SP1.

PivX Labs, which has also analyzed the attack vector, said that a user visiting a Web site that hosts the Skinhead exploit will have their browser redirected to a compressed WinAmp Skin file which has a WSZ file extension, but which in reality is a ZIP file.

The company said the default installation of WinAmp registers the WSZ file extension and includes an instruction to Windows and Internet Explorer to automatically open the files. It leads to the fake WinAmp skin being automatically loaded into the media player.

America Online (Quote, Chart) owns Nullsoft.

[JoJo Gunn]

Many find Winamp an alternative to Media Player, so I thought this might be of interest here.

[JoJo Gunn]

I made the post in Firefox, and see the ad on the right in IE6. Live and learn....

[JoJo Gunn]

Can y'all help me ping others? I'm sorta in the middle of a Senior Moment....

[Darksheare]

Done

Those of us in the RKBA that use Winamp3.x or WinAmp 5 -5.03 listen up.
There's a security flaw in winamp's skinning system, check the article and pass the info on to anyone else you know who uses WinAmp.

Boy am I glad I kept WinAmp 2.91...

[JoJo Gunn]

Thanks, Darksheare. I'm having trouble remembering some of the names that frequent the tech threads, and this is enough of a general warning anyway.

I liked 2.91 for the simplicity, and even tried a couple of skins with a skinmaker. Hey, no rolling eyes from anybody.

[Darksheare]

I kept 2.91, but it's ogg vorbis decoder was screwed, so I dumped it for the ogg decoder dll from 2.81 which didn't crash my machine every time I played an ogg file.
*chuckle*
Welcome.

Haven't tried my hand at skinning Winamp, the new XML format made my brain scramble after a few minutes.

[JoJo Gunn]

Well, I said 2.91, but I meant the last of the "2" series. I never saved anything past 2.80. There were troubles with them, though I can't remember specifics. I have 3 and 5.03 and there's no way I could do a skin for them, with all the XML you gotta learn.

What I'd used was called "Skinamp", widely scorned by the graphics elitists. (wink)

http://www.saschahlusiak.de/english/infos/skinamp.htm

[Darksheare]

Have 2.80 installer still saved somewhere..
*chuckle*

LOL!
Haven't tried my hand at it since I fried my mind.

[Not A Snowbird]

I don't even know what Winamp is, so I guess I'm not using it.

{{{looks worried}}}

Should I know what this is?

[JoJo Gunn]

Winamp is just an alternative player/recorder, like Media Player or MusicMatch Jukebox, et al. It was a favorite for a long time, in part, because it was so easily skinned.

http://www.winamp.com/

[Darksheare]

If you're not using it, you don't need to worry.

[Not A Snowbird]

Thanks! I figured if I didn't know what it was I would be okay, but who knows these days.

[JoJo Gunn]

Of course, what you know could change tomorrow. Sometimes I just feel like unplugging this thing and walking away. Society has tolerated way too much for too long from those scummos, and a few fingers chopped off on the public square at high noon would be a helluva good beginning at fixing the mess.

[Darksheare]

Welcome.

There's another mp3/ogg/636 player called Sonique.. but I haven't heard much from them in awhile.

JJ, remember back when some clever person played about with the id3 tags on mp3's and crashed a few machines?
Winamp(nullsoft) was quick to change how it read id3 tags.
So no-one can use id3 tags on winamp anymore for nefarious reasons.

[JoJo Gunn]

I admit I don't remember that. I never liked the "quality" of mp3's, so I just never kept up with that side of things.

I didn't care for the Winduhs player, and the MusicMatch bundle that came with my machine wasn't all that great, with it's unceasing "upgrade" boxes and how it dropped the master volume and .wav volume whenever you closed it. I found Winamp to be a good alternative. Still is, compared to WMP9, which wants to connect to the web to find codecs to play things that 6.4 can.

[Darksheare]

I noticed an mp3's quality depends largely on it's bitrate, the codec used to mp3 it, and the quality of the machine it was mp3'd on.
Oggs tend to lose quality in it's compression but tend to keep goo high and low end tones, it's the midrange on them that suffers.

I have a few mp3's that have a bitrate of 320 that I 'ripped' myself using Winamp 2.91 and the Lame encoder, and you can't tell the difference between them and the original CD.
At around 196 bitrate you will notice differences..
People with better ears than mine can notice a difference at 225 bitrate.

*sigh*
But I can hear dog whistles.

[JoJo Gunn]

I bet, if you haven't already seen it, that you'd like CDex.

http://www.cdex.n3.net/

It's a heckuva good ripper, and handles all sorts of mp3 variations, and it's a freebie, (though as always he appreciates donations).

Beware of NeoAudio, a blatant ripoff with spyware added.

[JoJo Gunn]

Speaking of NeoAudio, some things you just can't make up:

PeeTree gives it a thumbs up

"Great, free software!"
I wish everyone would stop complaining about spyware! Is it really that much of a problem?....

[KangarooJacqui]

I won't have it on my computer anymore, and haven't since my last cleanup.

That and RealPlayer... O.U.T - OUT!

[KangarooJacqui]

That's a NO. NO NO NO.

For tech support, see me (who will see MadIvan, LOL)