Forgot your password?
typodupeerror
Security

Winamp Skin Exploit in the Wild 397

Posted by CmdrTaco
from the even-skins-are-dangerous-now dept.
An anonymous reader writes "Secunia.com has announced an exploit (derived from xml escaping the Internet zone into IE's local zone) that exploits Winamp's habit of automatically installing skins. Currently all versions of Winamp are affected. Details on the Winamp forums - apparently an exploit is already in the wild, and spreading."
This discussion has been archived. No new comments can be posted.

Winamp Skin Exploit in the Wild

Comments Filter:
  • Simple solutions (Score:5, Informative)

    by JLSigman (699615) <jlsigman@hotmail.com> on Thursday August 26, 2004 @02:32PM (#10081498) Homepage Journal
    Don't get your skins from anyone but WinAMP.

    OR

    Don't use skins at all.
  • by httpamphibio.us (579491) on Thursday August 26, 2004 @02:33PM (#10081505)
    The Securia.com link [secunia.com] in the profile says that only Winamp 3.x and 5.x. But doesn't mention 2.x... the vast majority of Winamp users I know don't use 3.x or 5.x due to the massive feature bloat.

    Is 2.x actually susceptible or is the submitter incorrect?
  • Re:Mozilla (Score:5, Informative)

    by JanusFury (452699) <kevin.gadd@gmail. c o m> on Thursday August 26, 2004 @02:34PM (#10081518) Homepage Journal
    Yeah, I remember that option. Funny, it never worked. I'm still not sure if it was Nullsoft's fault, or if moz embedding is just flaky. I can't really think of any apps I have that embed Gecko - it's all pretty much IE these days.
  • All Versions? (Score:5, Informative)

    by (54)T-Dub (642521) <tpaine@@@gmail...com> on Thursday August 26, 2004 @02:34PM (#10081524) Journal
    I know that a lot of us "old school" winamp users still use the classic winamp lite v2.81 [plug] I much lighter version of the software[/plug]. The article states that it affects:
    • WinAMP 3.x
    • Winamp 5.x
  • Fixes... (Score:5, Informative)

    by xdeadbeef (218700) on Thursday August 26, 2004 @02:35PM (#10081543)
    • Use Firefox as your default browser (which won't auto-launch skins), or...
    • don't install modern skin support in winamp (or delete plugins\gen_ff.dll if you already are installed), or...
    • get winamp 5.05 when it comes out in a day or two.
  • by lotsofno (733224) on Thursday August 26, 2004 @02:35PM (#10081545)
    .

    Winamp Unlimited [winampunlimited.com] has a friendly summary on how the worm infects the user, as well as steps one can take to avoid being infected.

    This is also worth noting: "The Nullsoft team have already implemented a patch for this exploit, which will be included in a very-near future release5.04a or 5.05. This next version is already in its third beta stage, and will include several other unrelated changes/fixes."
  • Re:Simple solutions (Score:3, Informative)

    by fulana_lover (652004) on Thursday August 26, 2004 @02:37PM (#10081553)
    the article mentioned specifically the problem is that wsz skins are able to escape IE's security policies and run as local computers when sent as XML files, so a malicious website (or HTML email, message board posting, etc) could automatically run the exploit without even your knowledge... time to uninstall winamp...
  • by Will Fisher (731585) on Thursday August 26, 2004 @02:39PM (#10081578)
    Winamp 2 is NOT affected. Winamp 5 Lite is also NOT affected.

    If you unchecked "Modern Skin Support" in the installer you are also NOT affected.

    You can even remove Modern Skin Support just by renaming Program Files\Winamp\Plugins\gen_ff.dll to gen_ff.dll.old. This will remove the exploit.

    If you fix this way, you will only be able to use classic skins.
  • by lotsofno (733224) on Thursday August 26, 2004 @02:42PM (#10081631)
    .
    What many people don't realize is that Winamp 5 IS Winamp 2 (Check out this this article [winamp.com].). It's the same code, but with extra plug-ins bundled in. The user can choose which plug-ins or features he wants to include or not include when installing. So I'm not sure how you could call the application bloated when the app installs only what the user feels he or she needs.
  • Fixed in betas! (Score:1, Informative)

    by oliverjms (548028) on Thursday August 26, 2004 @02:44PM (#10081657)
    Check out www.winampunlimited.com [winampunlimited.com] for more details
  • Re:Fixes... (Score:3, Informative)

    by Egekrusher2K (610429) on Thursday August 26, 2004 @02:48PM (#10081710) Homepage

    According to the Winamp forums, the default Firefox configuration is just as susceptible to this exploit as IE is. You can change your settings in either browser so that it is not affected by your exploit.

    Fortunately, I use Mozilla. :)

  • Re:Simple solutions (Score:5, Informative)

    by _Sprocket_ (42527) on Thursday August 26, 2004 @02:52PM (#10081741)


    Don't get your skins from anyone but WinAMP.


    That would be fine advise if the victims knew they were downloading a Winamp skin. The link, however, looks like it is an image file:
    http://socold.de/stuff/schnappi_death.jpg <----- LOOOOOOOOOOOOOOOOOOOOL
    Going clicky-clicky (or otherwise following the link) exacuted a PHP script which would serve up a winamp skin. Since many users have their browsers automagically handle Windamp skins, it would immediately get handed off to Winamp to execute. The skin linked to several files that eventually called an executable within the skin package which in turn loaded one's mIRC client with a script that spat out the above message.

    The victims probably didn't know what hit them.
  • by gwernol (167574) on Thursday August 26, 2004 @02:52PM (#10081750)
    I'm an idiot--I don't get it. Can anybody help?

    Flensing means to remove the skin [bartleby.com] from something.
  • Re:i hate skins (Score:3, Informative)

    by 88NoSoup4U88 (721233) on Thursday August 26, 2004 @02:56PM (#10081784)
    It's not about everchanging ; it's about customizing to your own use.
  • Re:Mozilla (Score:5, Informative)

    by Anonymous Coward on Thursday August 26, 2004 @03:00PM (#10081824)
    This isn't a IE exploit. It can affect Firefox too if your not carefull. It's entirly an Winamp exploit, cause even in firefox it will prompt you to download the file, and open it... if you open it, you're affected. :/

    The link is dead now, but I'm guessing the exe file just looks to see if mIRC is running, and gets the path, and extracts+runs some mIRC scripts. Classic trojan technique. Really not terribly difficult to make.

    ^^^
    taken from Winamp Forums.

    So does it matter?
  • Re:Skinny Dipping (Score:4, Informative)

    by MrNemesis (587188) on Thursday August 26, 2004 @03:06PM (#10081879) Homepage Journal
    Yes.

    http://http//www.crackbaby.com/article.php?sid=100 93 [http]

    Not tried it myself yet, but it replaces all calls to IE with calls to the browser of your choice.
  • Re:Dumb Question (Score:2, Informative)

    by Pedrostolemaburrito (808604) on Thursday August 26, 2004 @03:10PM (#10081907)
    I am supposing that envoking the browser is a side-effect of the mini-browser bundled with Winamp since 2.x and the skin applies to it also. If it isn't bad enough to have multiple browser windows open (for the sorry buggers not using tabbed browsing on decent browsers), we can also browse the internet right in Winamp...woohoo!
  • Re:Winamp 2.xx..... (Score:5, Informative)

    by CritterNYC (190163) on Thursday August 26, 2004 @03:12PM (#10081930) Homepage
    Who the fuck uses the crappy bloated recourse hog that is 5.x anyway.... ah Internet Explorer users.

    5.x playing in the background using 0% CPU and under 6mb of RAM... about what 2.x uses... with a feature-set comparable to iTunes without the huge iTunes resource overhead, 3 installed services, etc, etc. A "lightweight" media player like foobar2000 is ~1% CPU and 11mb RAM.
  • Re:Easy fix (Score:3, Informative)

    by mlyle (148697) on Thursday August 26, 2004 @03:14PM (#10081954)
    Wrong. All you need to do is open a wsz file in order to get exploited-- subsequent network access isn't required. And internet explorer is happy to auto-open that wsz file for you.
  • by Animats (122034) on Thursday August 26, 2004 @03:20PM (#10082020) Homepage
    Try Freeamp/Zinf [zinf.org], the open source replacement for Winamp.

    Of course, they had to put in "themes", but at least it doesn't download them itself.

  • Re:Dumb Question (Score:5, Informative)

    by argent (18001) <peter@NOsPam.slashdot.2006.taronga.com> on Thursday August 26, 2004 @03:22PM (#10082035) Homepage Journal
    A skin invokes the browser because Microsoft's got this tasty-looking rich-text, GUI, and graphics layout and rendering engine that they decided about seven years ago needed to be a core part of the OS. Which is all well and good, but it's not just a rich-text rendering engine, it's pretty much all of Internet Explorer but the window decorations and preferences utility.

    They did this not because it's a good idea for every application to have internet access and rich scripting with only a token sandbox about the potentially untrusted data they're displaying, but because they wanted to keep the DoJ from forcing them to compete with other companies that were producing web browsers.

    My response at the time was to ban the use of IE, Outlook, and any other application that I could think of or that I found out about that was using this component to view untrusted documents. Well, I didn't ban them directly, I talked our CEO into it. I figured that most IT administrators and managers would do the same, because this was obviously just asking for trouble (I didn't know what trouble it would cause, but I knew it was asking for it). Then, when Melissa hit a little while later, I figured THAT would finally be enough to get people to ban these "typhoid mary" applications. I mean, anyone could tell this was doomed.

    Boy, was I naive. I forgot that people who haven't worked on computer security aren't nearly paranoid enough. I expect that on the 10th anniversary of the integration of IE with the desktop people will still believe Microsoft when they say they're serious about security this time.

    And I never would have imagined that Apple would follow suit and use the same LaunchServices for local applications opening things like help files and for web browsers to run plugins, helper apps, and so on...

    For the love of god, people, get on the horn to Microsoft, and Apple, and the folks at Mozilla.org who are still using these inherently broken APIs themselves (yes, Firefox has been demonstrated to respond to a couple of the same exploits). Tell them that ENOUGH is ENOUGH. You can't fix this with better heuristics, you can only fix it by making the sandbox unconditional... seperate the display code and the access code and give each application a choice of bindings (at the VERY least, 'this is the binding for trusted documents, this is the binding for untrusted documents, and this is the binding for you specifically').
  • All Versions? (Score:1, Informative)

    by Gates82 (706573) on Thursday August 26, 2004 @03:31PM (#10082106)
    I still use winamp 1.90, I highly doubt that it will be affected. Besides what's a skine?!
  • by Osty (16825) on Thursday August 26, 2004 @03:41PM (#10082210)

    XMMS is a wonderful media player XMMS is a multimedia player for unix systems
    (emphasis added by me)

    And Winamp is a multimedia player for Windows systems (with the exception of a horribly crappy alpha version of the now-dead 3.0 release of Winamp that was made available on Linux, but that hardly counts does it?). If I'm a Winamp user, I'm using Windows, and so XMMS is not an option. Why would I change my entire operating system simply to get a media player that started life as a duplicate of the one I already have on Windows (and XMMS still is little more than a Winamp-wannabe)?

  • Re:Mozilla (Score:2, Informative)

    by Aggrajag (716041) on Thursday August 26, 2004 @03:48PM (#10082271)
    MyIE2 has embedded Gecko browser and it seems to work ok. http://www.myie2.com/ [myie2.com]
  • by Kurrurrin (790594) on Thursday August 26, 2004 @03:51PM (#10082302)
    Foobar does
    http://www.foobar2000.org/ [foobar2000.org]
    Handy, simple, small, and will go straight to the system tray.
  • Re:things to say (Score:4, Informative)

    by drinkypoo (153816) <martin.espinoza@gmail.com> on Thursday August 26, 2004 @03:57PM (#10082345) Homepage Journal

    It is possible [slashdot.org] to easily fix this problem.

  • by That's Unpossible! (722232) * on Thursday August 26, 2004 @04:04PM (#10082401)
    Good thing you never looked back. We're all pointing and laughing at you.

    Seriously man... posting this comment in a thread detailing an exploit in your elitist program is kinda... retarded.

    WinAmp exploits: 2 (that I know of [securiteam.com])
    iTunes exploits: 0

    Let's keep score.
  • Re:Mozilla (Score:3, Informative)

    by Quarters (18322) on Thursday August 26, 2004 @04:13PM (#10082465)
    Maxthon (aka MyIE2) uses an ActiveX version of the Gecko engine. When Maxthon is in that mode most of the standard features don't work, the right-click menu is truncated down to just a few core items, and the overall experience isn't all that hot.

    The author of Maxthon has said that the engine-switch option is there so web designers can check their pages quickly without having to have a multitude of browsers on their machines. It's not intended to be a generalized replacement for the IE libs that Maxthon is built on.

  • by poohsuntzu (753886) on Thursday August 26, 2004 @04:23PM (#10082571) Homepage
    It's how it is delivered. The simpilest way involves:

    iframe src="http://www.blah.com/winamphackedskin.wsz"

    That right there, in any browser, will initiate a download of the winamp skin file. In Opera/Firefox/Mozilla you are given a download confirmation prompt. However, if IE is your default browser then IE will auto download and install the winamp skin without your knowledge.. or at least until your winamp pops up suddenly with a new skin. We can't tell people to "don't download skins" merely because it's far more serious than that. Manual skin changing or not, that iframe trick is going to nail a lot of people.

    The best bet would be to ignore winamp completely until a patch can be provided, or have Firefox set as your default browser.
  • Re:Mozilla (Score:5, Informative)

    by unixbob (523657) on Thursday August 26, 2004 @04:31PM (#10082643)
    not quite. It's a cross browser problem because whatever browser you use will pass the .wsz or .wal straight to winamp. But the embedded browser in winamp (which is IE) executes an .exe that's included within the .wsz archive because it thinks it's being run from the local zone instead of the Internet Zone. Therefore it's a bug in IE and Windows (and winamp).

    The bug isn't that the browser passes the file to the correct handler app, but that the app itself executes code it shouldn't.
  • Re:Simple solutions (Score:3, Informative)

    by bigberk (547360) <bigberk@users.pc9.org> on Thursday August 26, 2004 @04:32PM (#10082648)
    The link, however, looks like it is an image file:
    I wrote a small windows program called popURL [pc-tools.net] that let's you quickly get info on a URL such as the file size, MIME type (important obviously), even software running on web server (IIS etc.)
  • by Condor7 (541565) <Condor7 AT operamail DOT com> on Thursday August 26, 2004 @07:57PM (#10084138)


    Can anyone recommend a Windows based media player that plays most all formats (mp3, divx, avi, mpeg, whatever), that ISNT some overly feature laden, skinnable piece of Britney candy?

    Media Player Classic at SourceForge [sourceforge.net], Afterdawn [afterdawn.com], or Divx Digest [divx-digest.com].

I am here by the will of the people and I won't leave until I get my raincoat back. - a slogan of the anarchists in Richard Kadrey's "Metrophage"

Working...