August 27th, 2004, 08:06 AM
|
#1
|
|
observationist
Join Date: Mar 2003
Location: Wandering the Universe
Posts: 9,933
|
Winamp security flaw
I know from the other thread some people don't like the new Winamp. Here is another reason to get rid of it.
Here are some excerpts for a security e-mail I got today.
This is an e-mail for computer/firewall administrators so excuse the technical nature.
For the less technically inclined the bolded sections are the important parts.
Quote:
Before any security mailing lists got wind of it, personnel from the greyhat Web site K-Otik.com discovered and posted underground exploit code for a new Winamp vulnerability. The vulnerability involves a specially-crafted Winamp skin file that can automatically download and execute code on a victim's computer. By enticing one of your users to a malicious Web page or sending an HTML e-mail, an attacker could deliver his malicious Winamp skin to your user's computer and gain total control of the machine. If you suspect your users have installed Winamp version 5.04 or earlier (whether or not you officially permit it), you should insist that they remove Winamp. For other countermeasures, see the Solution section below.
A blackhat hacker calling himself |silent released his new Winamp exploit to other malicious hackers on the Internet, specifying that he would not inform Winamp or the security community. Therefore, Winamp users should consider this a high risk vulnerability, since malicious attackers have possessed exploit code before the security community knew of it.
Winamp's popular skinning ability enables customizing the look and feel of the application to fit your tastes. The malicious exploit takes advantage of a design flaw in Winamp's Skin Zip (.wsz) files. These .wsz files usually consist of a zipped archive containing files that fall into two main categories: 1) Media files for customizing Winamp, and 2) XML files that tell Winamp how to apply the media files. However, |silent discovered that he could also embed a malicious program within a Winamp skin file and then craft the XML portion so that Winamp executes it automatically.
Internet Explorer becomes Winamp's unwilling accomplice in this attack. |silent discovered he could create a Web page so that it would automatically download an infected Winamp skin as soon as an Internet Explorer (IE) user visited it. Windows associates .wsz files with Winamp by default. That means a smart attacker could maliciously craft his Web site so that if a victim visits the page, the malicious skin file downloads via IE automatically and executes in Winamp automatically. In sum, one wrong click could give up your machine.
Since |silent never disclosed this vulnerability directly to Winamp's creators, Nullsoft, there is no patch correcting this flaw (although you can bet Nullsoft knows of this issue by now). We plan on updating this alert if Nullsoft releases a patch.
Today, the only way to totally protect yourself from this flaw is to remove Winamp.
If you choose to continue using Winamp now, these workarounds can mitigate your exposure to |silent's vulnerability:
Dis-associate the .wsz file type in Windows. Doing this prevents you from installing any new Winamp skins automatically. To dis-associate .wsz files from Winamp, open Windows Explorer and click Tools => Folder Options => File Types tab. Scroll down to locate and highlight the WSZ extension type (which appears only if you have Winamp installed). Highlight it, and either click the Delete button to completely remove the WSZ extension type or click the Change button and select some other application, such as Notepad, to opens .wsz files harmlessly.
Use another browser besides IE to prevent the automatic download of the malicious Winamp skin. This is not a feasible option for everyone. However, other browsers, such as Mozilla Firefox, prompt the users for some interaction before automatically downloading |silent's malicious Winamp skin.
SP2 includes new secure-browsing features that prevent IE from automatically downloading certain files. With SP2 installed, the malicious Web code |silent uses to download a Winamp skin onto your computer does not work without significant user interaction.
|
|
|
|
|
August 27th, 2004, 09:09 AM
|
#2
|
|
Admin
Join Date: May 2002
Location: Section 431 Row 1
Posts: 12,503
|
what is winamp?
__________________
Read The Cardinal Rules of this Site!
Play hard, get dirty and never make eye-contact with the man you're going to blind-side. - Hardy Brown
RIP Skkorp, KoC, Danny_L, and jstadvl.
|
|
|
|
|
August 27th, 2004, 09:22 AM
|
#3
|
|
observationist
Join Date: Mar 2003
Location: Wandering the Universe
Posts: 9,933
|
Quote:
|
Originally Posted by jkf296
what is winamp?
|
Media/MP3 player program for PCs.
www.winamp.com |
|
|
|
|
August 27th, 2004, 09:35 AM
|
#4
|
|
Frell.
Join Date: Jun 2003
Posts: 21,130
|
wow i love winamp - I still use the older version cuz I have really cool skins that I downloaded - The newer versions suck and this is just another reason not to upgrade!
__________________
Rest in peace, Skkorp. We'll never forget you.
|
|
|
|
|
August 27th, 2004, 09:48 AM
|
#5
|
|
observationist
Join Date: Mar 2003
Location: Wandering the Universe
Posts: 9,933
|
Quote:
|
Originally Posted by thirty-two
wow i love winamp - I still use the older version cuz I have really cool skins that I downloaded - The newer versions suck and this is just another reason not to upgrade!
|
Earlier versions may be vunerable as well. If you are going to continue to use Winamp I would follow these instructions.
Dis-associate the .wsz file type in Windows. Doing this prevents you from installing any new Winamp skins automatically. To dis-associate .wsz files from Winamp, open Windows Explorer and click Tools => Folder Options => File Types tab. Scroll down to locate and highlight the WSZ extension type (which appears only if you have Winamp installed). Highlight it, and either click the Delete button to completely remove the WSZ extension type or click the Change button and select some other application, such as Notepad, to opens .wsz files harmlessly.
I clicked on advanced then deleted the install default behavior. It will than ask you what you want to do with the .wsz file if one is downloaded without your knowledge.
If you have updated WindowsXP to SP2 then this is not such a big concern. |
|
|
|
|
August 27th, 2004, 10:09 AM
|
#6
|
|
Frell.
Join Date: Jun 2003
Posts: 21,130
|
Quote:
|
Originally Posted by SirChaz
Earlier versions may be vunerable as well. If you are going to continue to use Winamp I would follow these instructions.
Dis-associate the .wsz file type in Windows. Doing this prevents you from installing any new Winamp skins automatically. To dis-associate .wsz files from Winamp, open Windows Explorer and click Tools => Folder Options => File Types tab. Scroll down to locate and highlight the WSZ extension type (which appears only if you have Winamp installed). Highlight it, and either click the Delete button to completely remove the WSZ extension type or click the Change button and select some other application, such as Notepad, to opens .wsz files harmlessly.
I clicked on advanced then deleted the install default behavior. It will than ask you what you want to do with the .wsz file if one is downloaded without your knowledge.
If you have updated WindowsXP to SP2 then this is not such a big concern.
|
i have internet explorer - when i go to tools all i see is: synchronize, windows updates and internet options  (i have win 98 if that helps)
__________________
Rest in peace, Skkorp. We'll never forget you.
|
|
|
|
|
August 27th, 2004, 10:23 AM
|
#7
|
|
observationist
Join Date: Mar 2003
Location: Wandering the Universe
Posts: 9,933
|
Quote:
|
Originally Posted by thirty-two
i have internet explorer - when i go to tools all i see is: synchronize, windows updates and internet options (i have win 98 if that helps) |
The setting would be under windows explorer. Open My Computer then Tools. |
|
|
|
|
August 27th, 2004, 10:53 AM
|
#8
|
|
Woof!
Join Date: Aug 2002
Location: Ahwatukee
Posts: 7,414
|
Thanks for the tip, SirChaz!  I found the .wsz file type and removed it.
__________________
|
|
|
|
|
August 27th, 2004, 01:27 PM
|
#9
|
|
Banned
Join Date: May 2002
Location: Mesa
Posts: 35,580
|
Quote:
|
Originally Posted by jw7
Thanks for the tip, SirChaz! I found the .wsz file type and removed it. |
Do you have any payphones??  |
|
|
|
|
August 27th, 2004, 05:42 PM
|
#10
|
|
The Cardinal Smiles
Join Date: Dec 2002
Location: Nashville
Posts: 16,488
|
If you delete the ".wsz" file will everything be all fine and dandy?
I was planning on installing winamp in the near future.
__________________
Signed,
arthurpostpadder
|
|
|
|
|
August 27th, 2004, 08:00 PM
|
#11
|
|
Frell.
Join Date: Jun 2003
Posts: 21,130
|
Quote:
|
Originally Posted by SirChaz
The setting would be under windows explorer. Open My Computer then Tools.
|
I am really sorry, I'm pretty slow when it comes to computers.
When I click on My Computer, all I see are: 3 1/2 inch floppy (a), (c  , (d , printers, control panel, dial up networking, scheduled tasks, and web folders.
no tools.. 
__________________
Rest in peace, Skkorp. We'll never forget you.
|
|
|
|
|
August 27th, 2004, 08:42 PM
|
#12
|
|
observationist
Join Date: Mar 2003
Location: Wandering the Universe
Posts: 9,933
|
Quote:
|
Originally Posted by arthurracoon
If you delete the ".wsz" file will everything be all fine and dandy?
I was planning on installing winamp in the near future.
|
Yes the file type association.
Once you do that Windows will prompt you to choose a program when you encounter a .wsz file.
Quote:
I am really sorry, I'm pretty slow when it comes to computers.
When I click on My Computer, all I see are: 3 1/2 inch floppy (a), (c, (d, printers, control panel, dial up networking, scheduled tasks, and web folders.
no tools..
|
No problem,
Your right there is no "tools" 
On the menu bar at the top click view; folder options
At the top there click the file types tab.
Scroll down untill you find the .wsz extension and delete it.
If you reinstall or upgrade winamp you will probably have to repeat this procedure unless/until they release a patch. |
|
|
|
|
August 30th, 2004, 03:39 PM
|
#13
|
|
observationist
Join Date: Mar 2003
Location: Wandering the Universe
Posts: 9,933
|
Well they fixed it pretty quick. 
Quote:
Winamp Security Bulletin
Published: Aug. 27, 2004
By Steve Gedikian
Nullsoft has issued a fix for a newly discovered security vulnerability affecting Winamp 3.0, 5.0 and 5.0 Pro or newer.
The vulnerability takes advantage of the Winamp Skin installer mechanism coupled with a security hole within the Internet Explorer browser.
To be vulnerable, a user must navigate to a specifically crafted web page which automatically installs a malicious Winamp Skin.
This skin launches an embedded Internet Explorer browser within the Skin using a feature of the Winamp Modern Skin Engine. This malicious Winamp Skin then uses the browser to launch a malicious application bundled within the skin.
There have been reports of this exploit in use on the web to automatically install Adware or Spyware applications without the users consent.
Winamp 5.05 resolves this exploit in two ways:
Winamp will now prompt all users with a confirmation window before installing any skins.
Winamp will now only extract files considered low risk before loading a Winamp Skin.
We strongly urge ALL Winamp users to upgrade to Winamp 5.05 immediately.
Go to the Winamp Player download page to download the latest version of the Winamp.
|
http://www.winamp.com/about/article.php?aid=10605 |
|
|
|
|
August 31st, 2004, 07:42 AM
|
#14
|
|
Frell.
Join Date: Jun 2003
Posts: 21,130
|
Quote:
|
Originally Posted by SirChaz
Well they fixed it pretty quick. |
Thanks for posting this - I just downloaded the new version but kept the classic loook. All is well with the world now
__________________
Rest in peace, Skkorp. We'll never forget you.
|
|
|
|
|
|
Linear Mode
