Winamp Skin Exploit in the Wild

An anonymous reader writes "Secunia.com has announced an exploit (derived from xml escaping the Internet zone into IE's local zone) that exploits Winamp's habit of automatically installing skins. Currently all versions of Winamp are affected. Details on the Winamp forums - apparently an exploit is already in the wild, and spreading."

Am I the only one...

[psoriac]

who unchecks every option in any program I install that begins with "Automatically [check for/download] and install ..."?

i hate skins

[avandesande]

am i the only person that finds ever changing interfaces an annoyance??

Redmond school of engineering

[Rosco P. Coltrane]

Program skins with "browser tags" and "embedded xml"? sheesh, what next, word processor documents that have executable code inside? </sarcasm>

Expect these to grow more common...

[hanssprudel]

Now that people have started to use firewalls, and the risk of worms and rootkits that infect through open, exploitable, holes grows smaller, it is time to expect more and more exploits to follow alternative vectors.

Note how many buffer-overflow exploits there have been in server daemons. Well, there is no reason to believe that servers are any worse written with regards to input than client applications - quite the contrary actually.

People think they are safe with a firewall. But I'm willing to bet there are undiscovered exploits in just about every application they run. WinZip? WinAMP? Acrobat Reader? Media player? Anything that handles files received over the Internet is potentially a vector for viruses and possibly worms.

This time it was bad escaping, which made the exploit trivial, but there a buffer overflow would have served just as well. Neither firewalls nor anti-virus software will protect you.

Dumb Question

[ewhac]

For what possible purpose does a skin -- which is essentially nothing more than graphical elements -- need to invoke the browser?

WTF? Seriously, help me out here. I've only been a programmer for 25 years, so I may not understand the deeply compelling reasons driving such a design decision.

Schwab

Re:i hate skins

[gwernol]

am i the only person that finds ever changing interfaces an annoyance??

Ever changing interfaces would indeed be an annoyance, but the point of skins is to let you find the UI you like and stick with it. For any individual user the UI is the same (unless you really want to keep changing it) its just that different users can have different UIs.

Its a bit like the "bloat" in large applications like Word. Of course most users only use 10-20% of Word's features, but each person can use a subtly different 10-20%. You choose to learn the subset of features that are useful to you and ignore the rest. Those others are only a minor distraction.

Re:i hate skins

[topher1kenobe]

I love skins. I pick one and use it for years before switching. Skins allow people to pick an interface they like, something that fits into their desktop style, and leave it there.

I don't go with random skins, or frequently changing skins. I just browse the library, pick a good one, and stick with it.

Re:Simple solutions

[nkh]

It's too late for me to post this but there is a plug-in on the Winamp web site that is developped by a spyware company (can't remember the name): the plug-in shows you a girl dancing and of course it's sending a lot of packets throught the internet. The plug-in is available on Winamp's web site!

might want to release that patch...

[uodeltasig]

Since the forum basically gives step-by-step instructions of how to recreate the exploit they might want to release the patch sooner or edit the forum post so that happy script-kiddies have to do a little more work then copying and pasting to exploit it... Meanwhile, switch to linux and use XMMS :)

Dumb Answer

[Iscariot_]

"so I may not understand the deeply compelling reasons driving such a design decision."

*raises hand*

Because since the late 90s EVERY PROGRAM must use the internet in some way. Useful or not. Anyone else notice this trend?

back to media player..

[nurb432]

"Good ole microsoft has this thing called media player that plays my mp3's..."

"Cant trust those evil 3rd party hacker programs... Thats what they say they wouldnt lie.. See this just proves it.."

Not that Microsoft would be *that* evil to release exploits for 3rd party apps.... but its an idea..

Winamp's or IE's fault?

[CodeMaster]

Still trying to figure out - is it winamp's fault that an XML character escape sequence causes stupid IE to run as in a local zone.

This isn't the first app that gets nailed just because it was using IE (for whatever extent of use - full rendering or peripheral stuff like SSL Certificate handling or XML processing).

Just add this to the IE screwups tally :-)

get a free iPod! [freeipods.com][This really works! - I have only 3 more referrals to go, my buddy already got his iPod (I should have gotten into this earlier :-(]

i'm famous!

[DaWolfey]

I've never been linked to (well, indirectly) on slashdot before - it's my 30 seconds of fame!

Just to add to the original thread a little, I only saw the worm spreading on IRC and I only saw 2 people who were spamming the link - like all mirc worms the infected person doesn't know they are doing it until someone tells them.

I guess it's not got very far - since I reported the exploit i've not seen another spammed link for it.

Re:The exploit:

[gui_tarzan2000]

Speaking of exploits...

When did this become a common problem? When I used to program way back in the late 80's software code was simple and clean. We didn't really have issues like this to worry about. The occasional virus, but those were actually .com or .exe programs. I know the Internet wasn't in place for the public yet, but still. And I know about the Unix worm. But isn't the main reason this is happening because coding gotten either that sloppy or that disorganized?

As much as I hate Microsoft, I don't blame them for things like this although they have not set a good example. There are thousands of programmers to blame for sloppy code, bloat and security issues so we can spread it around a bit.

Re:yet another way...

[Anonymous Coward]

Use a firewall and don't give winamp access to the internet?

WTF else!

Re:Further evidence that skinning is stupid

[xmundt]

Actually, I kind of like skinning...although I don't "need" it. For example, Opera has a skin called "Executive" that is my preferred look. Why? not because I am "C" level, but, because I am a woodworker!
ALso, the whole point of computers is to allow flexibility and the ability to customize the tool to fit our hand.
I do, though, draw the line at methods of skinning that end up being security risks... I am not sure that skins that have executable parts are a good thing...

Suggestion to Windows yet NON-IE users

[Spuffin]

Use Work Offline mode in IE when you aren't using it. This setting will be saved even when you close IE thus keeping IE exploits such as this down. As a side note, it also kills the ads in AIM which is a nice plus. The only downside is when a program does try to access the internet using IE (such as AIM) it prompts you to Stay Offline or Connect. All you have to do is click stay offline and you'll be fine. If anyone knows how to suppress this prompt I would love to hear it.

Re:say it out loud...

[arminw]

Is there NO way to tell *any* flavor of Windows to allow any or all programs to write to the user directories only, by limiting the privileges of a user? In Linux and the Mac it is possible to disallow a user or any program he may run from touching anything that might affect the system. Therefore, if a user is dumb enough to run unknown programs, only his/her stuff gets deservedly hosed.

Re:Mozilla

[HobophobE]

Offtopic, etc. but I am curious.

How difficult (and guessing it's feasible, this is probably in the works) would it be to build with Mozilla an emulation of IE's embed? In other words, will there come a day when one could force a Mozilla embed by overriding the IE version?

Re:say it out loud...

[Anonymous Coward]

Is there NO way to tell *any* flavor of Windows to allow any or all programs to write to the user directories only, by limiting the privileges of a user?

Of course there is, in fact with greater granularity than Unix permissions allow. The problem is, if you blanket deny write access to anything but the user's directories, many programs break.

Too much stuff is written by programmers who think that writing to the application directory is ok. It's easy enough to enable write permission to individual files to get around this (and registrey keys in some cases), but doing it for about half of the installed programs gets old really quick. And that's after you determine which files/keys they need write permission to.

So if you're not a Windows expert and don't have one around, practically speaking it's impossible.