Winamp Skin Exploit in the Wild

An anonymous reader writes "Secunia.com has announced an exploit (derived from xml escaping the Internet zone into IE's local zone) that exploits Winamp's habit of automatically installing skins. Currently all versions of Winamp are affected. Details on the Winamp forums - apparently an exploit is already in the wild, and spreading."

Mozilla

[linuxci]

One of the winamp betas had the option to use the mozilla engine rather than the IE one. Shame they never spent more time on this feature then they could easily tell people they could fix this exploit by turning off the MS Engine.

Re:Mozilla

[linzeal]

Isn't nullsoft part of AOL, which funded netscape which created most of the mozilla engine?

Using anything from Microsoft's API in this day and age of alternatives is lazy programing, imho.

Re:Easy fix

[Robotech_Master]

Of course, then you can't listen to Internet radio [shoutcast.com]...

Re:yet another way...

[BoldAC]

Yet another way?

Seems like the same old crap to me...

You convince some sucker to download and load something that isn't what it says it is. We've reported aim exploits that hide themselves as screensavers recently. [tech-recipes.com]

It's a major security problem when a program blindly executes something. Period.

It's a major security problem when people download untrusted winamp skins on IRC.

What can you do?

Re:Further evidence that skinning is stupid

[jo42]

Alas, people like shiny, blinky, glowy things aka bling.

I won' bother saying what I think of 'skinning' on account it would be moderated as a troll or less because most people like shiny, blinky, glowy things aka bling and I don't...

Re:Just another reason

[happyemoticon]

Damn dude, I was going to step up and prosleritize 'NIX/XMMS, but you beat me to it:) By the same token you could support good ol' Winamp 2, which is basically the same thing. Ooo, winamp 5; look at all the useless, animated, colorful features!

Re:Fixes...

[Thrymm]

Amen! I use it to play music, I dont look at the damn thing. I know some people love skins, for me I dont need it, just need to hear the music not see the colors!

things to say

[XO]

Just to comment on all the first 11 posts I see here:

(1) I've not used WinAmp in many years [like i've not used Windows in many years], but when secunia says the advised course of action is "use another product", i'm guessing that that probably means this feature can not be disabled, or at least not easily? or if it can be, then it's disabling can also be circumvented?

(2) Absolutely right, having a component of the system that is active to ALL programs, wether it wants it or not, is inviting the most bizarre of security holes. Of course, the WinAmp people probably should come up with a better, more secure transport method for getting their skins around, but it's not really their fault that IE is a pile of crap security wise.

(3) what kinda genius would figure out that you could embed an xml file, with instructions to run a specific executeable file, within a zipped skin file, and then manage to trigger a security hole in a web-browser module that really shouldn't have a damn thing to do involved with the program that you're sending this virus through? The people who are BREAKING the security I figure have got to be infinitely more intelligent than the people who are CREATING the security.. or at least a whole hell of a lot more creative..

i really can't imagine that anyone could be thinking, when they write a program like this, "oh, what if someone tries to take advantage of such and such known security flaw in this way through our program, even though they don't have jack and shit to do with each other?" ..

obviously, you're going to try to cover in advance for security things, but who could predict in attack in such a convoluted fashion?

Assistance for the clueless

[Anonymous Coward]

I'm an idiot--I don't get it. Can anybody help?

Skinny Dipping

[t_allardyce]

Is there any way to actually uninstall IE or atleast make it absolutely not the default browser and ban its exicution or engine use by all other programs and perhaps replace that engine with something else? Considering that was part of a big law-suit surly theres a way? Infact i need IE installed for website testing so the second option would be best.. all i can think of is setting the permissions of the engine dll and IE exicutables but replacing it would be nice too..

Re:Just another reason

[name773]

see? more of a fix than you'd first assume :)

Re:Further evidence that skinning is stupid

[Neon Spiral Injector]

If I were to like shiny, blinky, glowy things aka bling, which I don't, I'd want my entire UI to be shiny, blinky, glowy things aka bling. I find apps that don't use the default toolkit (in any OS) to really clash with everything else.

Sure MacOS X is pretty, and consistant. It would seem that Apple agrees with me. So why do they make their QuickTime player for Windows so out of place? I like non-destructive configuration options to be be auto applied (like GNOME and Mac OS do), but that style of interface is in total contract with Windows OK, Apply, Cancel system.

I think it was Winamp's fault that all media players now have to have their own skinable widget set. I wish this exploit would do something to stop the madness, but I fear not.

Re:things to say

[gershbaz]

The whole point of good/secure coding is not anticipating attacks, but just making sure that the program can't do anything *except* what it's supposed to. "Integration" unless its done with secure clear protocols is the source of nearly every security hole for windows.

Re:things to say

[maximilln]

or at least a whole hell of a lot more creative

That's precisely what this is. It's like checking for secret doors in a dungeon in an old RPG like Bard's Tale. One step forward, check right, check left. One step forward, check right, check left. Repeat until you find an opening.

This sort of thing could very easily affect Linux as well. As much as I love Linux I've been waiting for someone to spring something like this through Mozilla. It's only a matter of time before someone figures it out.

Re:i hate skins

[blixel]

am i the only person that finds ever changing interfaces an annoyance??

Why does it have to be ever changing? Find the look you like and stick with it. If that happens to be the default, great.

How to fix IE, Safari, and everything else...

[argent]

ANY library that works like the Microsoft HTML control (this is what Microsoft calls all the non-trivial bits of Internet Explorer... the IE application is just a thin wrapper around this) is at risk for exploitation. The only way to be sure that nobody's going to break out of your sandbox is to make sure that the application that creates the sandbox is the application that controls access from the sandbox, and that any helper applications it calls unconditionally implement their own sandboxes.

If you use the *same* application, API, or application binding (eg, the file type bindings used by the desktop and the MS HTML control, or Apple's LaunchServices) for both sandboxed and trusted objects, then you open up the possibility that an untrusted object will look like a trusted object, or that an untrusted object will be passed to a handler that isn't inherently safe.

Apple blew this with launchServices, and they still haven't really fixed the underlying problem. But they've only been in denial a few months, whereas Microsoft has been in denial about this for seven years, so let's look at Microsoft...

Let's suppose the HTML control was split up, so it only did rendering. Whenever it wanted to open a file, open a URL, run a script, load a plug-in, it would ask the parent application "what do I do about a CHM file" or "what do I do about <script language=vbscript>". You'd have an "HTML-only control" and a "Web Access control" and IE would be a very slightly thicker wrapper around both.

So then you register "Word Viewer"[1] with Outlook and IE as the helper application for Word documents, and "Word" with Windows Explorer as the helper application for trusted Word documents. If this was done, then Outlook (which would be a sandboxing application in this model) would open "Word Viewer" for untrusted documents.

Viola, no more email-spread Word macro viruses.

Similarly, Outlook would decline to run VBscript, and IE would decline to run the Windows Update plugin... you'd have a Windows Update program that was a thin shell around the HTML-only control... one that only opened windows update.

Microsoft could have their cake and eat it too, and EVERYONE would have a more secure and less spammy environment.

Re:Just another reason to use iTunes, I guess

[Anonymous Coward]

You are aware iTunes installs massive (many MB) services that start at bootup you have no need of don't you? You're aware it blindly installs the iPod service, whether you have an iPod or not right? If I remember the last time I looked at it ALSO installed Quicktime, which is one of the worst behaved Windows installs of a media utility in well, pretty much ever. And Quicktime btw, also installs services you have absolutely no need of.

Memory is cheap, but that doesn't mean I want Apple deciding it can just use mine for code that never executes (or even worse, executes when I don't need it).

Re:winamp skin

[Doug Lim]

I'd bet it's probably not an issue for xmms using winamp skins. I don't believe it's a problem with winamp per se. I believe it's due to winamp's integration with IE.

It really annoying that IE integration can't be disabled or if it's even possible to integrate with another browser.

I don't know exactly how it works, but certain streams will pop open the Winamp browser window to the stream's home page and the stream's home page has popups.

In fact, due to integration with IE, even if you don't use IE for any browsing, someone could set up an enticing stream (**cough**pr0n**cough) and infect a lot of people with malware who think they're safe because they never websurf with IE.

Re:i hate skins

[asdfghjklqwertyuiop]

Skins allow people to pick an interface they like, something that fits into their desktop style, and leave it there.

Pick an interface they like? Hah. I wish I could pick the skin I like: None at all. Something that makes the application's interface look and work exactly like every other application I run instead of some incomprehsible and unusable artistic garbage.

Re:Simple solutions

[maximilln]

who then runs the code

Winamp parses the XML file which contains an embedded link to the .exe in the Winamp skin archive.

Why are markup languages allowed to link to executables? Allowing arbitrary hotlinks to an untrusted location without proper validation is a security hole the size of an aircraft carrier.

Re:Further evidence that skinning is stupid

[StalinsNotDead]

There are those that either forget to check Post Anonymously or out of some measure of honor or apathy, refuse to do so.

I think I speak for a lot of people when I say...

[rd_syringe]

...pointless skins for media players can go to hell. Foobar 2000 forever!

Even more fun...

[jejones]

The last time I tried it, WinAmp wouldn't work for me unless I had administrator privileges--so this exploit can do maximal damage. Maybe this will move a rewrite to work reasonably in a multi-user environment up on their priority list? (We can hope...)

Foo!

[ralphus]

Why are you geeks worried? Shouldn't you be using Foobar2000 [foobar2000.org] anyway? It is about 2000 X better than winamp and packed with geek friendly features.

say it out loud...

[Anonymous Coward]

...it's another WINDOWS problem. The OS and any apps for it are "run at your own peril". That includes mozilla stuff. It's because it's designed to run on WINDOWS.

WINDOWS
WINDOWS
WINDOWS

I don't care how leet folks think they are, as long as people run windows stuff, develop for windows, run windows apps, think about windows, they are gonna get hosed, sooner or later.

You would think after 10 years of this stuff that it would be noticed, nope, folks still think just one more patch or one more version higher of their windows apps or OS is gonna magically fix windows.

Charlie Brown

Lucy

Lucy holding football

Charlie Brown on his butt looking lame

Charlie Brown = windows

Lucy = windows apps

Lucy holding football = thinking just this one more time, that this is the time she will hold it correctly, that just this time it will work and be "secure"

Charlie Brown on his butt for the 9,863rd time = windows users, never learn, always going to think if they hold out one more time it will be OK.

Re:Mozilla

[ajs318]

If I had mod points, you would be Insightful. However, I haven't, so I'm replying. A media player does not need a browser engine. mpg321 hasn't got one, and it does just fine.

The real problem is that DOS was never designed to be networked, and that carried over into Windows. NT's access control is based on VAX/VMS, which is rather OTT for most people's requirements, and so most people simply don't use it. Unix/Linux/OSX access control, while less sophisticated, is at least more likely to be used properly.

Hardware no-execute (NX) is an absolute red herring in this context, BTW. It can always be bypassed in software -- otherwise you would have a Computationally Incomplete system -- and, if you can persuade a user to execute arbitrary software on a system without NX, you can just as easily persuade a user to execute the NX bypass exploit on a system with NX.

Re:Macs

[Phroggy]

Makes me glad I use iTunes on a Mac. At least Apple doesn't decide *for me* that I NEED an insecure web browser in EVERY APPLICATION on the operating system.

I realize you're trolling, but I'm bored...

Yes, Apple DOES decide for you that you need a web browser in every application on the operating system. Is it insecure? Well, not that we know of right now, because Apple patches the holes when they're found, just like Microsoft does (but yes, Apple's browser does have fewer security holes than Microsoft's).

Safari is 13MB, 10.1MB of which is localized text (for menus, dialog boxes, etc.) for languages other than English. It would be less than 3MB if you stripped that out (and you can get a program to do that for you, system-wide, if you want). Why? Because it doesn't include the HTML rendering engine.

The fact that OS X has not yet had one critical exploit speaks for itself. (And yes, OS 7-8 *did* have quite a few exploits and viruses.)

Wrong again. According to Steve Jobs [alwayson-network.com]:

In Mac OS X's history--four and a half years--we've had 43 security updates fixing security issues, but only 2% of them were critical. In Windows XP, which has been around for less time, they've had 77 security updates but 66% of them were critical in terms of the industry's nomenclature.

By the way, if you're interested in the HTML rendering engine that Apple includes in Mac OS X and makes available to all applications (just like Microsoft does), the source code is here [apple.com] (it's LGPL). OK, so that's not like Microsoft. ;-)

When will software companies and developers learn?

[inkswamp]

Does it take a freakin' rocket scientist to figure out that any time your software does something automatically, especially if it's something dealing with the network/Internet, you should think very carefully about how necessary the feature is? That is, consider whether it should even be there at all. It seems that a lot of security issues could be stopped if developers and software companies would just let the user decide when and (most importantly) if at all a piece of software does something automatically. At the very least, there should be a way to turn the feature off and the developer should ship with the feature disabled by default.