Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

Spyware Tunnels in on Winamp Flaw 176

Andy Philips writes "A security bug in Winamp is being exploited by miscreants to install spyware on machines running the media player software. "After surfing to a malicious Web site on our test machines, the file 'x.pls' begins to download, Almost immediately, Winamp starts to execute the play list and remote code execution begins." Sunbelt's Adam Thomas wrote in a posting. The Winamp problem affects version 5.12 of the media player. Earlier versions may also be affected."
This discussion has been archived. No new comments can be posted.

Spyware Tunnels in on Winamp Flaw

Comments Filter:
  • by eldavojohn ( 898314 ) * <eldavojohn@gmailREDHAT.com minus distro> on Monday February 06, 2006 @09:40AM (#14650117) Journal
    Once upon a time, I used Winamp.

    And it was good.

    It was fairly lightweight, I could load in huge playlists of college-napster-garbage without slowdown and I knew all the hot keys for searching and what not.

    Then that llama came into the picture. I think it must have been version three or four (I can't remember) when there was a damned llama or alpaca or whatever in a green field. Now, I love llamas and alpacas, don't get me wrong. The problem was that now Winamp was about "graphix" and "features" that were once plugins that I didn't want.

    I don't know why they thought Winamp needed to be able to play videos but it did now. I don't know why they thought Winamp had to show stupid tripping-on-acid-harmonograph visualizations but it did now. I don't know why they thought Winamp had to melt songs together but it did now ... etc.

    On top of that, the memory footprint in Windows was crazy. And my roommate tried to put skins on Winamp that just made my computer shit its gourd. I was disgusted ... the hot keys may have still been there but what I was looking for in a media player was not. For some reason, they seemed to think that competing with Windows Media Player meant mimicking it to every detail. Fine. I never want to touch Windows Media Player, it's about as useful as my appendix. And now I feel the same way about Winamp.

    Now there's a spyware flaw in Winamp. Am I surprised? Not really. They have gotten so complicated that there's probably a thousand holes in that application. They definitely lost site of what I was looking for--a plain jane slim audio player. Winamp's executing a remote method invocation through a playlist that can trigger itself to be automatically loaded and ran? Now that sounds like a "feature" I want my audio player to have.

    Is this the first time this has happened? Nope, remember the zero day exploit [internetnews.com] that targeted skins in 2004? There's been a myriad of security issues with Winamp since it became more and more complicated.

    "Gee, the way our audio player loads playlists isn't very secure. But it works and the people who use our application aren't interested in security--they're interested in playing AVI files on their audio player!"

    So what would I recommend? Well, if you're using Linux, I can think of at least ten things better [neu.edu] but XMMS [xmms2.xmms.se] would probably be my favorite. If you're running Windows, I like to use Quintessential Player [quinnware.com] which can be modified to be as complicated as new Winamp or can be
    • by Robotech_Master ( 14247 ) on Monday February 06, 2006 @09:46AM (#14650146) Homepage Journal
      Can't you get xmms compiled for Windows, too?

      Personally, I use iTunes now, because it just works with my iPod. I could probably use something else, but why bother?
    • by iezhy ( 623955 ) on Monday February 06, 2006 @09:46AM (#14650149) Homepage
      I used winamp too - until i found foobar2000 [foobar2000.org]

      It supports virtually all posible audio codecs, and sound quality is much better
      • by Anonymous Coward
        While there isn't a Linux port of foobar 2000 yet, I've found Quod Libet [sacredchao.net] to be a close-enough replacement for those of us who have gotten tired of whiz-bang graphics. Though mostly, I switched from xmms for the UTF-8 support (hey, that's the reason I switched from winamp too ;)
      • by Anonymous Coward on Monday February 06, 2006 @10:22AM (#14650355)
        I used winamp too - until i found foobar2000 [foobar2000.org]

        It supports virtually all posible audio codecs, and sound quality is much better

        From foobar2000.org:
        Does foobar2000 sound better than other players?
        No. Most of "sound quality differences" people "hear" are placebo effect (at least with real music), as actual differences in produced sound data are below their noise floor (1 or 2 last bits in 16bit samples). Foobar2000 has sound processing features such as software resampling or 24bit output on new high-end soundcards, but most of other mainstream players are capable of doing the same by now.

        :-)

        • i dunno why but winamp5 playing mp3 sounds horrible to me, maybe its something to do with the mp3pro support they added or something but every time i play a mp3 on it there is a harshness that i can't stand for more than a few minuites.

          pretty much anything will sound better after that!

      • Did they code all their own codecs? Or do they use the standard codecs? Either way, I don't know how which application you use has any bearing on the sound quality. You can't make a badly encoded MP3 sound good.
      • I tried that once and couldn't find the volume control. Have they fixed that? Is it a plug? I remember looking everywhere. Perhaps I'll give it another go - I usually use Winamp but I'm up for a lean alternative.
      • > until i found foobar2000

        I love Foobar, except for its randomization, which seems to suck. It just flipped back & forth from the first 1/4 of the list and the last 1/4 of the list, picking up one from the middle every 5th or 6th selection. Now, it may be bad luck, since even with truly random selections, it could play in the listed order, but I've seen it happen a few times.

      • How come nobody mentioned VLC [videolan.org] or Media Player Classic [sourceforge.net] yet?
    • by Anonymous Coward
      Once upon a time, I used Winamp.

      Until there was a story on slashdot about spyware being installed via Winamp flaw. Someone posted to slashdot about the experiences they had with winamp, and suggested something called Quintessential Player. I love this person, because thanks to them, I just found a great replacement for winamp.
    • Just for the record, Quinnware stopped the dev on the simple QCD player and started a bloated winamp 5 copy called Quintessential Media Player. Guess I'll be staying with the good old QCD 4.51 player for a long time.
    • by zerocool^ ( 112121 ) on Monday February 06, 2006 @09:57AM (#14650210) Homepage Journal

      For starters, you can go to www.oldversion.com and get winamp 2.95 along with a bunch of other versions. The train wreck that was winamp3 was also mostly corrected when they went to winamp5, and if you see from (http://www.winamp.com/player/free.php [winamp.com]) there's a "lite" version that weighs in at 0.85MB, and which supports mp3, wav, ogg, au, midi, cda, aac, etc. Since it doesn't support modern skins, I would suspect that it's probably just a rehash of 2.9x

      I don't use the video features of Winamp. They were present in 2.95, but they weren't bloated yet. And I don't think it was a grab at the windows media player headspace. It really seemed like they just tacked it on because it wasn't hard to do. I think it uses the windows renderer and codecs anyway, just without all the crap in WMP.

      Anyway, yeah, I still use 2.95 of winamp, just like I still use instant messanger 4.8. I'm open to change; I'm just not going to "upgrade" to a bloated product. What is it with software these days, anyway? Every piece of software tries to be everything to everyone. Ugh.

      ~Will
      • version 3 was the train wrecke.. but i also belive it was about then that AOL bought it.. i use it all the time but it is an old 2.x version with the skin i like.. screw all the new vid crap.. it is a music player and that is what it should do
      • Have you recently used Nero? Why on earth a cd burning app need a image viewer?!
      • Since it doesn't support modern skins, I would suspect that it's probably just a rehash of 2.9x

        Basically, besides a ton of bug fixes and feature improvements, yes.

        I recommend the latest Lite version for those that "just want WA 2", if not only to get fixes and improvements. As one can see from the size, it's far from bloated too.
      • Winamp 5 == Winamp 2 (Score:4, Interesting)

        by Anonymous Coward on Monday February 06, 2006 @10:58AM (#14650569)
        Winamp 5 is essentially just an updated version of Winamp 2 renamed so that it would have a higher number than the trainwreck that was Winamp 3. There's no reason not to upgrade - all the "bloat" (modern skins, video support, media library, whatever) is an install-time option. Even with all the "bloat", I find that so long as I use a classic skin, its reasonably lightweight. (Modern skins, of course, eat up more CPU/memory).

        If you're still using 2.95, you're probably vulnerable to a host of security issues and missing out on a number of useful features (better AAC/mp4 support for one, I believe). I highly reccomend upgrading to 5.13.

        • I don't understand why this is a "security risk" anyway. I mean, I guess if your browser is set to automatically accept when a website sends you a file, and automatically run it... then, maybe. Maybe in the same way that you could have your browser set to automatically accept, download, and execute a .com file. But, my browser doesn't download files without asking, and it doesn't execute them either. And the only pls files I use are from di.fm.
      • by mrdaveb ( 239909 ) on Monday February 06, 2006 @10:59AM (#14650578) Homepage
        I agree that Winamp 2 used to be great and Winamp 3 was horribly bloated. But what you really want to do is run the latest Winamp 5 with either the tiny Lite version, or the full version without modern skins. It has the same small memory footprint as Winamp 2... The only advantage of using Winamp 5 is that some of the recently discovered security holes have probably actually been in there the whole time and you might be putting yourself at risk if you run a really old version.
      • i like the media library feature in winamp 5. its the only reason i upgraded to it. It automatically updates whatever directories you tell it to. Before you had to use playlists etc... now the media library is used to set up playlists.
      • What is it with software these days, anyway? Every piece of software tries to be everything to everyone. Ugh.

        ever heard of emacs?
      • A lot of people don't seem to be too clear on this so I thought I would mention it - WinAmp 5 is WinAmp 2 with bugfixes and some extra plugins (e.g. video). If you don't want the extra stuff just delete / don't install the plugins.
      • While, Winamp was indeed improved between versions 3 and 5, I still prefer the 2.x series and XMMS for their no-nonsense approach to music. After all, its the music we care about. The reasons for winamp's decline are many, but if you watch the developments at Winamp's Nullsoft, it gives you quite a few clues. Winamp's creator Justin Frankel is no longer affiliated with Nullsoft, and if you track the developments leading to his departure, its quite clear why winamp has suffered as well. When Nullsoft was
      • What WinAmp really needs is to be very small in footprint. Two: every, yes, every function should have a keyboard combination interface.
        With a keyboard combination for each function, a remote can be made for the Winamp player. Use a photodiode that decodes the 38KHz signal sent from all TV remotes. Feed this signal into a microcontroller that replicates the WinAmp keyboard combinations according to button pressed on the remote. Plug this microcontroller into the PC in parallel with the ke
    • If you don't install all the extra plugins that come with Winamp 5 (media library, and particularly the 'modern skins' support), it's essentially the same speed/functionality as 2.95, but with tweaks/bug fixes.

      I do find the Media Library very useful though, so I'm happy enough to have that installed.
    • So what would I recommend? Well, if you're using Linux, I can think of at least ten things better [neu.edu]

      That page is old: "Last Updated 8 Apr 2000" and some of the links are broken.

      Wikipedia has a nice media player comparison [wikipedia.org] with an "Operating system support" table showing which ones run on Linux.
    • The only reason I still use Winamp is the Internet TV function. Streams such as Futurama on EveryShowSucks [www.ess.tv] keep me entertained, and without ads. As long as Internet TV remains free on WinAmp I will keep using it.
    • As I recall, isn't the old version of Winamp still available (Or at least it was before my 2 year tango w/ Linux)? And I rather like Winamp 5. Although I do agree it is quite a bit bloated. All the new features should have been implemented as plugins to the existing Winamp system so that it could still run on an older machine.
    • I don't know why they thought Winamp needed to be able to play videos but it did now. I don't know why they thought Winamp had to show stupid tripping-on-acid-harmonograph visualizations but it did now. I don't know why they thought Winamp had to melt songs together but it did now ... etc.


      AOL.
    • I can see your point but...

      "needed to be able to play videos" - plugin
      "had to show stupid tripping-on-acid-harmonograph visualizations" - plugin
      "had to melt songs together" - plugin
      "skins on Winamp that just made my computer shit its gourd" - plugin (modern skins, anyway - classic skins are a collection of static bitmaps)

      I still use WinAmp. I also use iTunes. My WinAmp v5 installation looks more or less like my old WinAmp v2 installation because I've disabled and deleted the plugins I didn't want (like vide
    • They have old versions (pre v3) over at Oldversion.com [oldversion.com].

    • Wow, you pretty much echoed all of my thoughts in elegant form

      I actually still use Winamp 2.73. I keep meaning to upgrade to 2.95, but I guess that'll probably happen next time I buy a computer.

      I do find the comments others have made about being able to disable/delete in version 5+ the extra useless crap that was added in version 3, and may actually try that. I did stick version 5 on my computer at work, and I definitely appreciate the fact that I can keep my classic skins.

      PS - I believe an alpaca
      • From Wikipedia: Alpacas and llamas can (and do) successfully cross breed, the resulting offspring are called huarizo.

        They're not the same species, but can breed. And more succesfully than a horse and a donkey can breed together. Basically, the interfertility test has gone out of favor with biologists; there have been far too many exceptions shown, and indeed some odd hybrids which are more prolific than either parent individually.
    • So what would I recommend? Well, if you're using Linux, I can think of at least ten things better but XMMS would probably be my favorite.

      I'm waiting for someone to suggest Amarok [kde.org] for Linux. It's most definitely the best player I've ever used.
  • Oh (Score:5, Funny)

    by kvant ( 939634 ) on Monday February 06, 2006 @09:43AM (#14650135)
    I was wondering why my mp3-collection was suddenly trying to sell me penis-lengthening pills!
    • Re:Oh (Score:3, Funny)

      by Belseth ( 835595 )
      I was wondering why my mp3-collection was suddenly trying to sell me penis-lengthening pills!

      Wait'll the next version comes out. They'll be collecting credit card numbers and automatically billing your account so you won't even have to order the enlarging pills they'll simply show up in your mailbox along with the bank notice that your account is empty.

    • I could swear 20 Fingers' Short Dick Man was never on this playlist before!
    • I would have to assume it's because you have Ricky Martin mp3's on there... That's really the only explanation. (Oh Minudo, how thou hast failed me...)
  • by Robotech_Master ( 14247 ) on Monday February 06, 2006 @09:43AM (#14650136) Homepage Journal
    ...whips your computer's ass, as well as the llama's.
  • by Futurepower(R) ( 558542 ) on Monday February 06, 2006 @09:46AM (#14650148) Homepage
    Link to WinAmp Free Player [winamp.com].
  • by quentin_quayle ( 868719 ) <quentin_quayle&yahoo,com> on Monday February 06, 2006 @09:50AM (#14650167)

    I know you will all correct me if I'm wrong, but if you don't have the .pls as a trigger for Winamp as a plugin, you're not vulnerable. Just set your browser to do something else with .pls (like offer to download). Or trash the file type association or set it for something other than Winamp.

    Or if you're a luddite like me and can't stand plugins, prevent them all from working by commenting out the plugins lines in:
    C:\Program Files\Common Files\mozilla.org\GRE\ [version here] \greprefs\all.js

    This is assuming you use Mz or FF for web on Windows like a sensible person.

    • I know you will all correct me if I'm wrong, but if you don't have the .pls as a trigger for Winamp as a plugin, you're not vulnerable. Just set your browser to do something else with .pls (like offer to download). Or trash the file type association or set it for something other than Winamp.

      Or upgrade your Winamp to 5.13.
  • Move Along (Score:5, Informative)

    by Billosaur ( 927319 ) * <wgrother.optonline@net> on Monday February 06, 2006 @09:51AM (#14650177) Journal

    As usual, nothing to see here...

    From ZDNet Asia: The flaw was disclosed on Monday, when Winamp maker Nullsoft, a division of America Online, released an update to fix it. The company posted version 5.13 of Winamp, while Secunia and other security companies issued alerts about the problem. Secunia rated the issue "extremely critical," its highest rating.

    Flaw detected and removed. New version of Winamp out. Get the new version. Protected. Not much more difficult than that. Shouldn't there a be a "Software Vulnerabilties" section to Slashdot, where these things could be posted?

    • Re:Move Along (Score:1, Interesting)

      by Anonymous Coward
      What happened to the days of patching? I don't know anything about the new version of WinAmp but this exploit vs. upgrade cycle seems to be a vehicle for prodding users to move to the latest edition of the bundled adware/spyware/malware product. So you get it through exploit or you get it through bundling. What's the difference anymore?
    • Re:Move Along (Score:5, Informative)

      by RonnyJ ( 651856 ) on Monday February 06, 2006 @10:20AM (#14650340)
      Shouldn't there a be a "Software Vulnerabilties" section to Slashdot, where these things could be posted?

      That's certainly an option, however Winamp is a hugely popular media player. I'm sure many Slashdot readers have Winamp, and wouldn't visit such a section regularly, so fairly 'big' stories like this should at least be posted to the front page too. At the very least, I know now that I need to update Winamp.

      • Re:Move Along (Score:1, Insightful)

        by sn0wflake ( 592745 )
        Approximately a week ago I started Winamp and instantly received a message that there was a new version available. What to do? Upgrade! Problem solved. I still don't get what the big deal is about this "news" other than the usual Windows bashing from Slashdot.
        • The same thing happened to me. I'm baffled as to why this is news. Nullsoft, like practically any company out there, released code with bugs in it.

          As soon as the code was found, a patch was released and the company prompted casual users to download the update.

          What exactly is the big deal here?
    • As usual, nothing to see here...

      Flaw detected and removed. New version of Winamp out. Get the new version. Protected.


      Well, there's that much to see - if you use Winamp, you should download the latest version. Now I don't use Winamp, but before I read this article I didn't even know there was a vulnerability, let alone a fix for it. In that sense, there's certainly something here for me to see.
    • "Flaw detected and removed. New version of Winamp out. Get the new version. Protected. Not much more difficult than that. Shouldn't there a be a "Software Vulnerabilties" section to Slashdot, where these things could be posted?"

      Yeah, because Winamp has an autoupdate feature, right?
  • Foobar2000 (Score:5, Informative)

    by Idimmu Xul ( 204345 ) on Monday February 06, 2006 @09:55AM (#14650202) Homepage Journal
    A small plug for the greatest MP3 player in existance, Foobar2000 [foobar2000.org]

    It's so awesomely customisable, it hurts.
    • I used to run FB2000, but switched to Media Monkey. Best MP3 manager/player/jukebox I've ever seen. For instance: you have two Zappa albums, one under Zappa, Frank and the other under Frank Zappa. Just drag the second album into the first artist name and it automatically retags all the files' artist names.

      Also scales easily to the 10,000 track range while still being fast, and has excellent device connectivity options. Plus it's fully scriptable.

      (I have no relation to it other than very happy user)
  • Woah, they even got the might dot! My quip down the bottom was System going down in 5 minutes.

    Nice work!
  • by hcoder ( 942688 ) on Monday February 06, 2006 @10:16AM (#14650316)
    It should be noted that no application is secure enough (except some 'Hello World!' implementations). It's not unusual that one should get hotfixes, service packs, etc. to keep ones system (relatively) secure against crackers. If you like winamp get the update and relax. As other folks said you may use other applications, mplayer is my favourite one. Of course I run it on Linux.
    • It should be noted that no application is secure enough

      Except qmail [cr.yp.to].

      Meanwhile the rest of the world thinks that they have to choose between functionality and security and manage to get neither particularly well.
  • Strange (Score:1, Insightful)

    by Anonymous Coward
    Isn't this like reporting on something exploiting an old bug in xmms or likewise?

    A fixed version of Winamp was released even before any of the mainstream media had published their reports. Isn't this rehashing the same?

    Winamp 5.12 and older are vulnerable? Wasn't this the point of the original article? What does this have to offer than the same old story when it comes to all software. Upgrade to remove those nasty bugs.

    I believe you can find the fixed version here, its been there for a week:

    http://www.winam [winamp.com]
  • So this is the sound of the internet crashing? It even comes with a playlist!
  • by British ( 51765 ) <british1500@gmail.com> on Monday February 06, 2006 @10:22AM (#14650351) Homepage Journal
    Was when that disaster known as Winamp TV came out. Porn site operators found out rather quickly you could incorporate pop-up ads when you connect to their streams. A simple preference change stopped this.
    • last exploit I remember of winamp Was when that disaster known as Winamp TV came out.

      Disaster? NSV streams are the ONLY decent internet TV channels I've come across. Some channels like "Freedom TV" have very good content most of the time. Other channels like the "'50's commercials" channel is good for killing a few minutes too. Other channels vary in quality from program to program, but are often interesting, at least. I wouldn't recomend throwing away your TV because of them, but it's a lot better th

  • Problem? (Score:4, Informative)

    by towaz ( 445789 ) * on Monday February 06, 2006 @10:53AM (#14650533)
    This was patched over a week ago, http://www.incidents.org/diary.php?date=2006-01-31 [incidents.org] (bottom).
    The time from exploit to patch was very fast.
    better then the length it takes other software developers to release a patch..
    http://www.eeye.com/html/research/upcoming/index.h tml [eeye.com]

  • by Anonymous Coward
    why so detailed?!

    anyone know if this is a 5.x problem? I still use 2.91. couldn't find any reliable info anywhere :(

    • I use 2.60. Old versions of winamp were really great. They load up instantly, have a tiny memory footprint, and do everything I want to do. My friends use iTunes, and it's true that some of the features are great, but when I just want to play one file winamp is faster and better.

      Anyway, to answer your queston, so long as you don't have a browser plugin you shouldn't be vulnerable.
  • Still lite (Score:3, Informative)

    by Bizzeh ( 851225 ) on Monday February 06, 2006 @10:59AM (#14650573) Homepage
    winamp is still lite, you dont HAVE to install the extra features.
    you dont HAVE to install the library,
    you dont HAVE to install the modern skin support,

    remove those 2 and your practicaly using winamp 2.9 with alot of bug fixes and speedups... so i dont see what all the complaining and whining is about
  • by Ranger ( 1783 ) on Monday February 06, 2006 @11:04AM (#14650605) Homepage
    That information would have been useful had WinAmp not told me that version 5.13 was already available. A WEEK AGO!

    I don't know what's worse on Slashdot, a dupe, a roland, or old news.
  • Winamp (Score:1, Flamebait)

    by certel ( 849946 )
    Winamp is now just bloatware. With all the features added to the software, the stability dropped like a rock. I was an avid user until I purchased an iPod and have been using iTunes ever since.
    • I was using iTunes before I got my iPod. When I realized that I was using about 4 or 5 buggy and bloated plugins to get a useful interface out of Winamp I knew it was time to ditch it. It was painful at first, because I learned about the MP3 world with Winamp and I knew nothing else. But I look back now and am glad I did.
    • Er... so you find iTunes less bloated than winamp? You have a strange definition of bloated... :-)
  • This has absolutely nothing to do with Sunbelt Computer Systems, their PL/B implementation, or PL/B source files (extension .pls). (Oh, the fun I had keeping WinAmp from opening my source code....)
  • by HunterZ ( 20035 )
    Winamp is just a backup player for me now. Mostly I use Media Player Classic because it uses AC3Filter to Dolby-Surround decode my MP3s to 5.1.
  • Just one question (Score:5, Insightful)

    by SuperKendall ( 25149 ) * on Monday February 06, 2006 @01:51PM (#14652092)
    Are there more computers running OS X than there are active copies of WinAMP?

    If so, why are there currently no OS X viruses yet when we see an active WinAMP exploit?

    Food for thought.
  • Winamp is the Internet Explorer of mp3 players. It's had a massive amount of vulnerabilities. This is the third playlist vulnerability alone: see the other two [securityfocus.com]. Are they going to do a code audit, or will we see the same kind of vulnerabilities again and again?

    I moved to a player with a good media library years ago. Even if that's not for you, consider something like Foobar2000.

  • It was the latest one out when I was putting software on my system.

    It works flawlessly. It's teenie-tiny. It's appealing to look at. . .

    Am I missing something here. . ? The only reason I ever go for updates on software is in the hope that an annoying design flaw is fixed, or that a much-needed feature will be added. When I finally load something onto my machine which does exactly what I want, I sigh with relief and then move on to other interests.

    I'm fairly certain guys like me are not well liked around

Where there's a will, there's a relative.

Working...