Forgot your password?
typodupeerror
Security

Winamp Skin Exploit in the Wild 397

Posted by CmdrTaco
from the even-skins-are-dangerous-now dept.
An anonymous reader writes "Secunia.com has announced an exploit (derived from xml escaping the Internet zone into IE's local zone) that exploits Winamp's habit of automatically installing skins. Currently all versions of Winamp are affected. Details on the Winamp forums - apparently an exploit is already in the wild, and spreading."
This discussion has been archived. No new comments can be posted.

Winamp Skin Exploit in the Wild

Comments Filter:
  • by ryane67 (768994) on Thursday August 26, 2004 @03:31PM (#10081476)
    to compromise a system..

    Luckily the masses of windows users are content to use windows media player which should slow the spread of this.

  • by ZipR (584654) on Thursday August 26, 2004 @03:31PM (#10081478)
    I knew that your oh-so-sexy winamp skin would be my downfall.
  • Mozilla (Score:5, Insightful)

    by linuxci (3530) on Thursday August 26, 2004 @03:31PM (#10081480)
    One of the winamp betas had the option to use the mozilla engine rather than the IE one. Shame they never spent more time on this feature then they could easily tell people they could fix this exploit by turning off the MS Engine.
    • Re:Mozilla (Score:5, Informative)

      by JanusFury (452699) <kevin.gaddNO@SPAMgmail.com> on Thursday August 26, 2004 @03:34PM (#10081518) Homepage Journal
      Yeah, I remember that option. Funny, it never worked. I'm still not sure if it was Nullsoft's fault, or if moz embedding is just flaky. I can't really think of any apps I have that embed Gecko - it's all pretty much IE these days.
    • Re:Mozilla (Score:3, Insightful)

      by linzeal (197905)
      Isn't nullsoft part of AOL, which funded netscape which created most of the mozilla engine?

      Using anything from Microsoft's API in this day and age of alternatives is lazy programing, imho.

    • Re:Mozilla (Score:5, Informative)

      by Anonymous Coward on Thursday August 26, 2004 @04:00PM (#10081824)
      This isn't a IE exploit. It can affect Firefox too if your not carefull. It's entirly an Winamp exploit, cause even in firefox it will prompt you to download the file, and open it... if you open it, you're affected. :/

      The link is dead now, but I'm guessing the exe file just looks to see if mIRC is running, and gets the path, and extracts+runs some mIRC scripts. Classic trojan technique. Really not terribly difficult to make.

      ^^^
      taken from Winamp Forums.

      So does it matter?
      • say it out loud... (Score:3, Insightful)

        by Anonymous Coward
        ...it's another WINDOWS problem. The OS and any apps for it are "run at your own peril". That includes mozilla stuff. It's because it's designed to run on WINDOWS.

        WINDOWS
        WINDOWS
        WINDOWS

        I don't care how leet folks think they are, as long as people run windows stuff, develop for windows, run windows apps, think about windows, they are gonna get hosed, sooner or later.

        You would think after 10 years of this stuff that it would be noticed, nope, folks still think just one more patch or one more version higher
      • Re:Mozilla (Score:5, Informative)

        by unixbob (523657) on Thursday August 26, 2004 @05:31PM (#10082643)
        not quite. It's a cross browser problem because whatever browser you use will pass the .wsz or .wal straight to winamp. But the embedded browser in winamp (which is IE) executes an .exe that's included within the .wsz archive because it thinks it's being run from the local zone instead of the Internet Zone. Therefore it's a bug in IE and Windows (and winamp).

        The bug isn't that the browser passes the file to the correct handler app, but that the app itself executes code it shouldn't.
  • by Lux (49200) on Thursday August 26, 2004 @03:31PM (#10081488)
    I propose "flensing."
  • by pestie (141370) on Thursday August 26, 2004 @03:32PM (#10081492) Homepage
    Seems to me I was just bitching about skinning [slashdot.org] and mentioned that security holes were one possible (but unlikely) down-side. I love when the universe makes my point for me.

    • Alas, people like shiny, blinky, glowy things aka bling.

      I won' bother saying what I think of 'skinning' on account it would be moderated as a troll or less because most people like shiny, blinky, glowy things aka bling and I don't...

  • Am I the only one... (Score:5, Interesting)

    by psoriac (81188) on Thursday August 26, 2004 @03:32PM (#10081495)
    who unchecks every option in any program I install that begins with "Automatically [check for/download] and install ..."?
  • Simple solutions (Score:5, Informative)

    by JLSigman (699615) <jlsigman@hotmail.com> on Thursday August 26, 2004 @03:32PM (#10081498) Homepage Journal
    Don't get your skins from anyone but WinAMP.

    OR

    Don't use skins at all.
    • Re:Simple solutions (Score:3, Informative)

      by fulana_lover (652004)
      the article mentioned specifically the problem is that wsz skins are able to escape IE's security policies and run as local computers when sent as XML files, so a malicious website (or HTML email, message board posting, etc) could automatically run the exploit without even your knowledge... time to uninstall winamp...
    • Re:Simple solutions (Score:5, Informative)

      by _Sprocket_ (42527) on Thursday August 26, 2004 @03:52PM (#10081741)


      Don't get your skins from anyone but WinAMP.


      That would be fine advise if the victims knew they were downloading a Winamp skin. The link, however, looks like it is an image file:
      http://socold.de/stuff/schnappi_death.jpg <----- LOOOOOOOOOOOOOOOOOOOOL
      Going clicky-clicky (or otherwise following the link) exacuted a PHP script which would serve up a winamp skin. Since many users have their browsers automagically handle Windamp skins, it would immediately get handed off to Winamp to execute. The skin linked to several files that eventually called an executable within the skin package which in turn loaded one's mIRC client with a script that spat out the above message.

      The victims probably didn't know what hit them.
      • Re:Simple solutions (Score:3, Informative)

        by bigberk (547360)
        The link, however, looks like it is an image file:
        I wrote a small windows program called popURL [pc-tools.net] that let's you quickly get info on a URL such as the file size, MIME type (important obviously), even software running on web server (IIS etc.)
    • Re:Simple solutions (Score:3, Interesting)

      by nkh (750837)
      It's too late for me to post this but there is a plug-in on the Winamp web site that is developped by a spyware company (can't remember the name): the plug-in shows you a girl dancing and of course it's sending a lot of packets throught the internet. The plug-in is available on Winamp's web site!
  • by Anonymous Coward on Thursday August 26, 2004 @03:32PM (#10081499)
    Just as long as the exploit isn't used to install SP2 were all safe.
  • by httpamphibio.us (579491) on Thursday August 26, 2004 @03:33PM (#10081505)
    The Securia.com link [secunia.com] in the profile says that only Winamp 3.x and 5.x. But doesn't mention 2.x... the vast majority of Winamp users I know don't use 3.x or 5.x due to the massive feature bloat.

    Is 2.x actually susceptible or is the submitter incorrect?
    • by Will Fisher (731585) on Thursday August 26, 2004 @03:39PM (#10081578)
      Winamp 2 is NOT affected. Winamp 5 Lite is also NOT affected.

      If you unchecked "Modern Skin Support" in the installer you are also NOT affected.

      You can even remove Modern Skin Support just by renaming Program Files\Winamp\Plugins\gen_ff.dll to gen_ff.dll.old. This will remove the exploit.

      If you fix this way, you will only be able to use classic skins.
    • by lotsofno (733224) on Thursday August 26, 2004 @03:42PM (#10081631)
      .
      What many people don't realize is that Winamp 5 IS Winamp 2 (Check out this this article [winamp.com].). It's the same code, but with extra plug-ins bundled in. The user can choose which plug-ins or features he wants to include or not include when installing. So I'm not sure how you could call the application bloated when the app installs only what the user feels he or she needs.
  • All Versions? (Score:5, Informative)

    by (54)T-Dub (642521) <tpaine@NOspAM.gmail.com> on Thursday August 26, 2004 @03:34PM (#10081524) Journal
    I know that a lot of us "old school" winamp users still use the classic winamp lite v2.81 [plug] I much lighter version of the software[/plug]. The article states that it affects:
    • WinAMP 3.x
    • Winamp 5.x
    • I assume you meant 2.91. It was the last stable, bloat free release. Plus it supports album list, instead of that god awful media library trash that comes with the new stuffs. Yeah, I rant, but it's ok.
  • i hate skins (Score:2, Interesting)

    by avandesande (143899)
    am i the only person that finds ever changing interfaces an annoyance??
    • am i the only person that finds ever changing interfaces an annoyance??

      Apparently not. [slashdot.org]
    • Re:i hate skins (Score:3, Informative)

      by 88NoSoup4U88 (721233)
      It's not about everchanging ; it's about customizing to your own use.
    • Re:i hate skins (Score:3, Interesting)

      by gwernol (167574)
      am i the only person that finds ever changing interfaces an annoyance??

      Ever changing interfaces would indeed be an annoyance, but the point of skins is to let you find the UI you like and stick with it. For any individual user the UI is the same (unless you really want to keep changing it) its just that different users can have different UIs.

      Its a bit like the "bloat" in large applications like Word. Of course most users only use 10-20% of Word's features, but each person can use a subtly different 10-2
    • Re:i hate skins (Score:4, Interesting)

      by topher1kenobe (2041) on Thursday August 26, 2004 @03:58PM (#10081804) Homepage
      I love skins. I pick one and use it for years before switching. Skins allow people to pick an interface they like, something that fits into their desktop style, and leave it there.

      I don't go with random skins, or frequently changing skins. I just browse the library, pick a good one, and stick with it.
      • whatever just put regular buttons on the goddam thing. maybe i should phrased it 'i dont need distracting visual garbage on my computer'

      • Skins allow people to pick an interface they like, something that fits into their desktop style, and leave it there.


        Pick an interface they like? Hah. I wish I could pick the skin I like: None at all. Something that makes the application's interface look and work exactly like every other application I run instead of some incomprehsible and unusable artistic garbage.
    • Re:i hate skins (Score:3, Insightful)

      by blixel (158224)
      am i the only person that finds ever changing interfaces an annoyance??

      Why does it have to be ever changing? Find the look you like and stick with it. If that happens to be the default, great.
  • by Rosco P. Coltrane (209368) on Thursday August 26, 2004 @03:35PM (#10081534)
    Program skins with "browser tags" and "embedded xml"? sheesh, what next, word processor documents that have executable code inside? </sarcasm>
  • Fixes... (Score:5, Informative)

    by xdeadbeef (218700) on Thursday August 26, 2004 @03:35PM (#10081543)
    • Use Firefox as your default browser (which won't auto-launch skins), or...
    • don't install modern skin support in winamp (or delete plugins\gen_ff.dll if you already are installed), or...
    • get winamp 5.05 when it comes out in a day or two.
    • Re:Fixes... (Score:5, Insightful)

      by Thrymm (662097) on Thursday August 26, 2004 @03:45PM (#10081660)
      Amen! I use it to play music, I dont look at the damn thing. I know some people love skins, for me I dont need it, just need to hear the music not see the colors!
    • Re:Fixes... (Score:3, Informative)

      by Egekrusher2K (610429)

      According to the Winamp forums, the default Firefox configuration is just as susceptible to this exploit as IE is. You can change your settings in either browser so that it is not affected by your exploit.

      Fortunately, I use Mozilla. :)

  • by lotsofno (733224) on Thursday August 26, 2004 @03:35PM (#10081545)
    .

    Winamp Unlimited [winampunlimited.com] has a friendly summary on how the worm infects the user, as well as steps one can take to avoid being infected.

    This is also worth noting: "The Nullsoft team have already implemented a patch for this exploit, which will be included in a very-near future release5.04a or 5.05. This next version is already in its third beta stage, and will include several other unrelated changes/fixes."
  • by Anonymous Coward on Thursday August 26, 2004 @03:43PM (#10081635)
    Having to periodically wipe your system and reinstall from backups is a small price to pay for the ability to have your apps look like real equipment.

    I mean, WinAmp can actually look like different kinds of real CD players! Can you believe that? It can look like all sorts of things; it doesn't have to look like a rectangular window at all. That just rocks! You can even change the way it looks at runtime! You can download whole new looks! Man, that is too cool.

    Kudos to those guys. This is the kind of thing that really makes computing fun.

  • things to say (Score:3, Insightful)

    by XO (250276) <blade DOT eric AT gmail DOT com> on Thursday August 26, 2004 @03:45PM (#10081663) Homepage Journal
    Just to comment on all the first 11 posts I see here:

    (1) I've not used WinAmp in many years [like i've not used Windows in many years], but when secunia says the advised course of action is "use another product", i'm guessing that that probably means this feature can not be disabled, or at least not easily? or if it can be, then it's disabling can also be circumvented?

    (2) Absolutely right, having a component of the system that is active to ALL programs, wether it wants it or not, is inviting the most bizarre of security holes. Of course, the WinAmp people probably should come up with a better, more secure transport method for getting their skins around, but it's not really their fault that IE is a pile of crap security wise.

    (3) what kinda genius would figure out that you could embed an xml file, with instructions to run a specific executeable file, within a zipped skin file, and then manage to trigger a security hole in a web-browser module that really shouldn't have a damn thing to do involved with the program that you're sending this virus through? The people who are BREAKING the security I figure have got to be infinitely more intelligent than the people who are CREATING the security.. or at least a whole hell of a lot more creative..

    i really can't imagine that anyone could be thinking, when they write a program like this, "oh, what if someone tries to take advantage of such and such known security flaw in this way through our program, even though they don't have jack and shit to do with each other?" ..

    obviously, you're going to try to cover in advance for security things, but who could predict in attack in such a convoluted fashion?
    • Re:things to say (Score:3, Insightful)

      by gershbaz (766425)
      The whole point of good/secure coding is not anticipating attacks, but just making sure that the program can't do anything *except* what it's supposed to. "Integration" unless its done with secure clear protocols is the source of nearly every security hole for windows.
    • Re:things to say (Score:2, Insightful)

      by maximilln (654768)
      or at least a whole hell of a lot more creative

      That's precisely what this is. It's like checking for secret doors in a dungeon in an old RPG like Bard's Tale. One step forward, check right, check left. One step forward, check right, check left. Repeat until you find an opening.

      This sort of thing could very easily affect Linux as well. As much as I love Linux I've been waiting for someone to spring something like this through Mozilla. It's only a matter of time before someone figures it out.
    • Re:things to say (Score:4, Informative)

      by drinkypoo (153816) <martin.espinoza@gmail.com> on Thursday August 26, 2004 @04:57PM (#10082345) Homepage Journal

      It is possible [slashdot.org] to easily fix this problem.

  • Skinny Dipping (Score:3, Insightful)

    by t_allardyce (48447) on Thursday August 26, 2004 @03:46PM (#10081676) Journal
    Is there any way to actually uninstall IE or atleast make it absolutely not the default browser and ban its exicution or engine use by all other programs and perhaps replace that engine with something else? Considering that was part of a big law-suit surly theres a way? Infact i need IE installed for website testing so the second option would be best.. all i can think of is setting the permissions of the engine dll and IE exicutables but replacing it would be nice too..
  • by hanssprudel (323035) on Thursday August 26, 2004 @03:52PM (#10081748)

    Now that people have started to use firewalls, and the risk of worms and rootkits that infect through open, exploitable, holes grows smaller, it is time to expect more and more exploits to follow alternative vectors.

    Note how many buffer-overflow exploits there have been in server daemons. Well, there is no reason to believe that servers are any worse written with regards to input than client applications - quite the contrary actually.

    People think they are safe with a firewall. But I'm willing to bet there are undiscovered exploits in just about every application they run. WinZip? WinAMP? Acrobat Reader? Media player? Anything that handles files received over the Internet is potentially a vector for viruses and possibly worms.

    This time it was bad escaping, which made the exploit trivial, but there a buffer overflow would have served just as well. Neither firewalls nor anti-virus software will protect you.
  • Yet another unwanted, unnecessary feature involving Internet Explorer embedded into a program that doesn't need it has a remote exploit. To mitigate this problem, disable active anything, automatic anything, and ActiveX anything. That is all.
  • Dumb Question (Score:5, Interesting)

    by ewhac (5844) on Thursday August 26, 2004 @03:54PM (#10081770) Homepage Journal

    For what possible purpose does a skin -- which is essentially nothing more than graphical elements -- need to invoke the browser?

    WTF? Seriously, help me out here. I've only been a programmer for 25 years, so I may not understand the deeply compelling reasons driving such a design decision.

    Schwab

    • I am supposing that envoking the browser is a side-effect of the mini-browser bundled with Winamp since 2.x and the skin applies to it also. If it isn't bad enough to have multiple browser windows open (for the sorry buggers not using tabbed browsing on decent browsers), we can also browse the internet right in Winamp...woohoo!
    • Dumb Answer (Score:3, Interesting)

      by Iscariot_ (166362)
      "so I may not understand the deeply compelling reasons driving such a design decision."

      *raises hand*

      Because since the late 90s EVERY PROGRAM must use the internet in some way. Useful or not. Anyone else notice this trend?
    • Re:Dumb Question (Score:5, Informative)

      by argent (18001) <peter@slashdot.2 ... com minus physic> on Thursday August 26, 2004 @04:22PM (#10082035) Homepage Journal
      A skin invokes the browser because Microsoft's got this tasty-looking rich-text, GUI, and graphics layout and rendering engine that they decided about seven years ago needed to be a core part of the OS. Which is all well and good, but it's not just a rich-text rendering engine, it's pretty much all of Internet Explorer but the window decorations and preferences utility.

      They did this not because it's a good idea for every application to have internet access and rich scripting with only a token sandbox about the potentially untrusted data they're displaying, but because they wanted to keep the DoJ from forcing them to compete with other companies that were producing web browsers.

      My response at the time was to ban the use of IE, Outlook, and any other application that I could think of or that I found out about that was using this component to view untrusted documents. Well, I didn't ban them directly, I talked our CEO into it. I figured that most IT administrators and managers would do the same, because this was obviously just asking for trouble (I didn't know what trouble it would cause, but I knew it was asking for it). Then, when Melissa hit a little while later, I figured THAT would finally be enough to get people to ban these "typhoid mary" applications. I mean, anyone could tell this was doomed.

      Boy, was I naive. I forgot that people who haven't worked on computer security aren't nearly paranoid enough. I expect that on the 10th anniversary of the integration of IE with the desktop people will still believe Microsoft when they say they're serious about security this time.

      And I never would have imagined that Apple would follow suit and use the same LaunchServices for local applications opening things like help files and for web browsers to run plugins, helper apps, and so on...

      For the love of god, people, get on the horn to Microsoft, and Apple, and the folks at Mozilla.org who are still using these inherently broken APIs themselves (yes, Firefox has been demonstrated to respond to a couple of the same exploits). Tell them that ENOUGH is ENOUGH. You can't fix this with better heuristics, you can only fix it by making the sandbox unconditional... seperate the display code and the access code and give each application a choice of bindings (at the VERY least, 'this is the binding for trusted documents, this is the binding for untrusted documents, and this is the binding for you specifically').
  • That's why I use QCD:

    http://www.quinnware.com
  • revenge (Score:5, Funny)

    by bersl2 (689221) on Thursday August 26, 2004 @04:01PM (#10081832) Journal
    I'm pretty sure the llama is tired of getting its ass whipped.
  • Yet another reason that skinnable apps are evil [livejournal.com].
  • by nurb432 (527695) on Thursday August 26, 2004 @04:23PM (#10082038) Homepage Journal
    "Good ole microsoft has this thing called media player that plays my mp3's..."

    "Cant trust those evil 3rd party hacker programs... Thats what they say they wouldnt lie.. See this just proves it.."

    Not that Microsoft would be *that* evil to release exploits for 3rd party apps.... but its an idea..
  • by CodeMaster (28069) on Thursday August 26, 2004 @04:23PM (#10082040)
    Still trying to figure out - is it winamp's fault that an XML character escape sequence causes stupid IE to run as in a local zone.

    This isn't the first app that gets nailed just because it was using IE (for whatever extent of use - full rendering or peripheral stuff like SSL Certificate handling or XML processing).

    Just add this to the IE screwups tally :-)

    get a free iPod! [freeipods.com][This really works! - I have only 3 more referrals to go, my buddy already got his iPod (I should have gotten into this earlier :-(]
  • i'm famous! (Score:3, Interesting)

    by DaWolfey (808610) on Thursday August 26, 2004 @04:30PM (#10082098)
    I've never been linked to (well, indirectly) on slashdot before - it's my 30 seconds of fame!

    Just to add to the original thread a little, I only saw the worm spreading on IRC and I only saw 2 people who were spamming the link - like all mirc worms the infected person doesn't know they are doing it until someone tells them.

    I guess it's not got very far - since I reported the exploit i've not seen another spammed link for it.
  • by endersdouble (719120) on Thursday August 26, 2004 @04:44PM (#10082242)
    Not only does evil P2P software break the law, it helps infect your computer! A program called Winamp, used by illegal copyright infringers to play their music files called MP3s, has a security hole allowing evil hackers to enter your system! We need to band together to ban this evil and dangerous Winamp program. Remember, no matter what, it is WRONG to use Winamp to play downloaded MP3s--and now, it is dangerous. Respect copyrights; uninstall Winamp.
  • Even more fun... (Score:4, Insightful)

    by jejones (115979) on Thursday August 26, 2004 @04:58PM (#10082354) Journal
    The last time I tried it, WinAmp wouldn't work for me unless I had administrator privileges--so this exploit can do maximal damage. Maybe this will move a rewrite to work reasonably in a multi-user environment up on their priority list? (We can hope...)
  • Foo! (Score:5, Insightful)

    by ralphus (577885) on Thursday August 26, 2004 @05:07PM (#10082423)
    Why are you geeks worried? Shouldn't you be using Foobar2000 [foobar2000.org] anyway? It is about 2000 X better than winamp and packed with geek friendly features.
  • by poohsuntzu (753886) on Thursday August 26, 2004 @05:23PM (#10082571) Homepage
    It's how it is delivered. The simpilest way involves:

    iframe src="http://www.blah.com/winamphackedskin.wsz"

    That right there, in any browser, will initiate a download of the winamp skin file. In Opera/Firefox/Mozilla you are given a download confirmation prompt. However, if IE is your default browser then IE will auto download and install the winamp skin without your knowledge.. or at least until your winamp pops up suddenly with a new skin. We can't tell people to "don't download skins" merely because it's far more serious than that. Manual skin changing or not, that iframe trick is going to nail a lot of people.

    The best bet would be to ignore winamp completely until a patch can be provided, or have Firefox set as your default browser.
  • by Spuffin (466692) on Thursday August 26, 2004 @06:51PM (#10083227)
    Use Work Offline mode in IE when you aren't using it. This setting will be saved even when you close IE thus keeping IE exploits such as this down. As a side note, it also kills the ads in AIM which is a nice plus. The only downside is when a program does try to access the internet using IE (such as AIM) it prompts you to Stay Offline or Connect. All you have to do is click stay offline and you'll be fine. If anyone knows how to suppress this prompt I would love to hear it.
  • by inkswamp (233692) on Friday August 27, 2004 @04:34AM (#10086228)
    Does it take a freakin' rocket scientist to figure out that any time your software does something automatically, especially if it's something dealing with the network/Internet, you should think very carefully about how necessary the feature is? That is, consider whether it should even be there at all. It seems that a lot of security issues could be stopped if developers and software companies would just let the user decide when and (most importantly) if at all a piece of software does something automatically. At the very least, there should be a way to turn the feature off and the developer should ship with the feature disabled by default.

When speculation has done its worst, two plus two still equals four. -- S. Johnson

Working...