Winamp Skin Exploit in the Wild 397
An anonymous reader writes "Secunia.com has announced an exploit (derived from xml escaping the Internet zone into IE's local zone) that exploits Winamp's habit of automatically installing skins. Currently all versions of Winamp are affected. Details on the Winamp forums - apparently an exploit is already in the wild, and spreading."
Mozilla (Score:5, Insightful)
Re:Mozilla (Score:3, Insightful)
Using anything from Microsoft's API in this day and age of alternatives is lazy programing, imho.
Re:Easy fix (Score:3, Insightful)
Re:yet another way... (Score:5, Insightful)
Seems like the same old crap to me...
You convince some sucker to download and load something that isn't what it says it is. We've reported aim exploits that hide themselves as screensavers recently. [tech-recipes.com]
It's a major security problem when a program blindly executes something. Period.
It's a major security problem when people download untrusted winamp skins on IRC.
What can you do?
Re:Further evidence that skinning is stupid (Score:2, Insightful)
Alas, people like shiny, blinky, glowy things aka bling.
I won' bother saying what I think of 'skinning' on account it would be moderated as a troll or less because most people like shiny, blinky, glowy things aka bling and I don't...
Re:Just another reason (Score:2, Insightful)
Re:Fixes... (Score:5, Insightful)
things to say (Score:3, Insightful)
(1) I've not used WinAmp in many years [like i've not used Windows in many years], but when secunia says the advised course of action is "use another product", i'm guessing that that probably means this feature can not be disabled, or at least not easily? or if it can be, then it's disabling can also be circumvented?
(2) Absolutely right, having a component of the system that is active to ALL programs, wether it wants it or not, is inviting the most bizarre of security holes. Of course, the WinAmp people probably should come up with a better, more secure transport method for getting their skins around, but it's not really their fault that IE is a pile of crap security wise.
(3) what kinda genius would figure out that you could embed an xml file, with instructions to run a specific executeable file, within a zipped skin file, and then manage to trigger a security hole in a web-browser module that really shouldn't have a damn thing to do involved with the program that you're sending this virus through? The people who are BREAKING the security I figure have got to be infinitely more intelligent than the people who are CREATING the security.. or at least a whole hell of a lot more creative..
i really can't imagine that anyone could be thinking, when they write a program like this, "oh, what if someone tries to take advantage of such and such known security flaw in this way through our program, even though they don't have jack and shit to do with each other?"
obviously, you're going to try to cover in advance for security things, but who could predict in attack in such a convoluted fashion?
Assistance for the clueless (Score:1, Insightful)
Skinny Dipping (Score:3, Insightful)
Re:Just another reason (Score:2, Insightful)
Re:Further evidence that skinning is stupid (Score:1, Insightful)
Sure MacOS X is pretty, and consistant. It would seem that Apple agrees with me. So why do they make their QuickTime player for Windows so out of place? I like non-destructive configuration options to be be auto applied (like GNOME and Mac OS do), but that style of interface is in total contract with Windows OK, Apply, Cancel system.
I think it was Winamp's fault that all media players now have to have their own skinable widget set. I wish this exploit would do something to stop the madness, but I fear not.
Re:things to say (Score:3, Insightful)
Re:things to say (Score:2, Insightful)
That's precisely what this is. It's like checking for secret doors in a dungeon in an old RPG like Bard's Tale. One step forward, check right, check left. One step forward, check right, check left. Repeat until you find an opening.
This sort of thing could very easily affect Linux as well. As much as I love Linux I've been waiting for someone to spring something like this through Mozilla. It's only a matter of time before someone figures it out.
Re:i hate skins (Score:3, Insightful)
Why does it have to be ever changing? Find the look you like and stick with it. If that happens to be the default, great.
How to fix IE, Safari, and everything else... (Score:5, Insightful)
If you use the *same* application, API, or application binding (eg, the file type bindings used by the desktop and the MS HTML control, or Apple's LaunchServices) for both sandboxed and trusted objects, then you open up the possibility that an untrusted object will look like a trusted object, or that an untrusted object will be passed to a handler that isn't inherently safe.
Apple blew this with launchServices, and they still haven't really fixed the underlying problem. But they've only been in denial a few months, whereas Microsoft has been in denial about this for seven years, so let's look at Microsoft...
Let's suppose the HTML control was split up, so it only did rendering. Whenever it wanted to open a file, open a URL, run a script, load a plug-in, it would ask the parent application "what do I do about a CHM file" or "what do I do about <script language=vbscript>". You'd have an "HTML-only control" and a "Web Access control" and IE would be a very slightly thicker wrapper around both.
So then you register "Word Viewer"[1] with Outlook and IE as the helper application for Word documents, and "Word" with Windows Explorer as the helper application for trusted Word documents. If this was done, then Outlook (which would be a sandboxing application in this model) would open "Word Viewer" for untrusted documents.
Viola, no more email-spread Word macro viruses.
Similarly, Outlook would decline to run VBscript, and IE would decline to run the Windows Update plugin... you'd have a Windows Update program that was a thin shell around the HTML-only control... one that only opened windows update.
Microsoft could have their cake and eat it too, and EVERYONE would have a more secure and less spammy environment.
Re:Just another reason to use iTunes, I guess (Score:2, Insightful)
Memory is cheap, but that doesn't mean I want Apple deciding it can just use mine for code that never executes (or even worse, executes when I don't need it).
Re:winamp skin (Score:2, Insightful)
It really annoying that IE integration can't be disabled or if it's even possible to integrate with another browser.
I don't know exactly how it works, but certain streams will pop open the Winamp browser window to the stream's home page and the stream's home page has popups.
In fact, due to integration with IE, even if you don't use IE for any browsing, someone could set up an enticing stream (**cough**pr0n**cough) and infect a lot of people with malware who think they're safe because they never websurf with IE.
Re:i hate skins (Score:3, Insightful)
Pick an interface they like? Hah. I wish I could pick the skin I like: None at all. Something that makes the application's interface look and work exactly like every other application I run instead of some incomprehsible and unusable artistic garbage.
Re:Simple solutions (Score:3, Insightful)
Winamp parses the XML file which contains an embedded link to the
Why are markup languages allowed to link to executables? Allowing arbitrary hotlinks to an untrusted location without proper validation is a security hole the size of an aircraft carrier.
Re:Further evidence that skinning is stupid (Score:2, Insightful)
I think I speak for a lot of people when I say... (Score:4, Insightful)
Even more fun... (Score:4, Insightful)
Foo! (Score:5, Insightful)
say it out loud... (Score:3, Insightful)
WINDOWS
WINDOWS
WINDOWS
I don't care how leet folks think they are, as long as people run windows stuff, develop for windows, run windows apps, think about windows, they are gonna get hosed, sooner or later.
You would think after 10 years of this stuff that it would be noticed, nope, folks still think just one more patch or one more version higher of their windows apps or OS is gonna magically fix windows.
Charlie Brown
Lucy
Lucy holding football
Charlie Brown on his butt looking lame
Charlie Brown = windows
Lucy = windows apps
Lucy holding football = thinking just this one more time, that this is the time she will hold it correctly, that just this time it will work and be "secure"
Charlie Brown on his butt for the 9,863rd time = windows users, never learn, always going to think if they hold out one more time it will be OK.
Re:Mozilla (Score:3, Insightful)
The real problem is that DOS was never designed to be networked, and that carried over into Windows. NT's access control is based on VAX/VMS, which is rather OTT for most people's requirements, and so most people simply don't use it. Unix/Linux/OSX access control, while less sophisticated, is at least more likely to be used properly.
Hardware no-execute (NX) is an absolute red herring in this context, BTW. It can always be bypassed in software -- otherwise you would have a Computationally Incomplete system -- and, if you can persuade a user to execute arbitrary software on a system without NX, you can just as easily persuade a user to execute the NX bypass exploit on a system with NX.
Re:Macs (Score:3, Insightful)
I realize you're trolling, but I'm bored...
Yes, Apple DOES decide for you that you need a web browser in every application on the operating system. Is it insecure? Well, not that we know of right now, because Apple patches the holes when they're found, just like Microsoft does (but yes, Apple's browser does have fewer security holes than Microsoft's).
Safari is 13MB, 10.1MB of which is localized text (for menus, dialog boxes, etc.) for languages other than English. It would be less than 3MB if you stripped that out (and you can get a program to do that for you, system-wide, if you want). Why? Because it doesn't include the HTML rendering engine.
The fact that OS X has not yet had one critical exploit speaks for itself. (And yes, OS 7-8 *did* have quite a few exploits and viruses.)
Wrong again. According to Steve Jobs [alwayson-network.com]:
By the way, if you're interested in the HTML rendering engine that Apple includes in Mac OS X and makes available to all applications (just like Microsoft does), the source code is here [apple.com] (it's LGPL). OK, so that's not like Microsoft.
When will software companies and developers learn? (Score:3, Insightful)