Spyware Tunnels in on Winamp Flaw 176
Andy Philips writes "A security bug in Winamp is being exploited by miscreants to install spyware on machines running the media player software.
"After surfing to a malicious Web site on our test machines, the file 'x.pls' begins to download, Almost immediately, Winamp starts to execute the play list and remote code execution begins." Sunbelt's Adam Thomas wrote in a posting. The Winamp problem affects version 5.12 of the media player. Earlier versions may also be affected."
It's that Damn Llama's Fault (Score:4, Interesting)
And it was good.
It was fairly lightweight, I could load in huge playlists of college-napster-garbage without slowdown and I knew all the hot keys for searching and what not.
Then that llama came into the picture. I think it must have been version three or four (I can't remember) when there was a damned llama or alpaca or whatever in a green field. Now, I love llamas and alpacas, don't get me wrong. The problem was that now Winamp was about "graphix" and "features" that were once plugins that I didn't want.
I don't know why they thought Winamp needed to be able to play videos but it did now. I don't know why they thought Winamp had to show stupid tripping-on-acid-harmonograph visualizations but it did now. I don't know why they thought Winamp had to melt songs together but it did now
On top of that, the memory footprint in Windows was crazy. And my roommate tried to put skins on Winamp that just made my computer shit its gourd. I was disgusted
Now there's a spyware flaw in Winamp. Am I surprised? Not really. They have gotten so complicated that there's probably a thousand holes in that application. They definitely lost site of what I was looking for--a plain jane slim audio player. Winamp's executing a remote method invocation through a playlist that can trigger itself to be automatically loaded and ran? Now that sounds like a "feature" I want my audio player to have.
Is this the first time this has happened? Nope, remember the zero day exploit [internetnews.com] that targeted skins in 2004? There's been a myriad of security issues with Winamp since it became more and more complicated.
"Gee, the way our audio player loads playlists isn't very secure. But it works and the people who use our application aren't interested in security--they're interested in playing AVI files on their audio player!"
So what would I recommend? Well, if you're using Linux, I can think of at least ten things better [neu.edu] but XMMS [xmms2.xmms.se] would probably be my favorite. If you're running Windows, I like to use Quintessential Player [quinnware.com] which can be modified to be as complicated as new Winamp or can be
Re:It's that Damn Llama's Fault (Score:4, Interesting)
Personally, I use iTunes now, because it just works with my iPod. I could probably use something else, but why bother?
Re:It's that Damn Llama's Fault (Score:1, Offtopic)
Jesus I didn't know winamp still existed!
Re:It's that Damn Llama's Fault (Score:5, Insightful)
It supports virtually all posible audio codecs, and sound quality is much better
Re:It's that Damn Llama's Fault (Score:2, Informative)
Re:It's that Damn Llama's Fault (Score:5, Informative)
It supports virtually all posible audio codecs, and sound quality is much better
From foobar2000.org:
Does foobar2000 sound better than other players?
No. Most of "sound quality differences" people "hear" are placebo effect (at least with real music), as actual differences in produced sound data are below their noise floor (1 or 2 last bits in 16bit samples). Foobar2000 has sound processing features such as software resampling or 24bit output on new high-end soundcards, but most of other mainstream players are capable of doing the same by now.
Re:It's that Damn Llama's Fault (Score:2)
pretty much anything will sound better after that!
Re:It's that Damn Llama's Fault (Score:2)
Re:It's that Damn Llama's Fault (Score:3, Insightful)
Re:It's that Damn Llama's Fault (Score:1)
Re:It's that Damn Llama's Fault (Score:1)
You can use the keypad + and - keys.
Re:It's that Damn Llama's Fault (Score:2)
I love Foobar, except for its randomization, which seems to suck. It just flipped back & forth from the first 1/4 of the list and the last 1/4 of the list, picking up one from the middle every 5th or 6th selection. Now, it may be bad luck, since even with truly random selections, it could play in the listed order, but I've seen it happen a few times.
Alternative players (Score:2)
How come nobody mentioned VLC [videolan.org] or Media Player Classic [sourceforge.net] yet?
Re:It's that Damn Llama's Fault (Score:2, Funny)
Until there was a story on slashdot about spyware being installed via Winamp flaw. Someone posted to slashdot about the experiences they had with winamp, and suggested something called Quintessential Player. I love this person, because thanks to them, I just found a great replacement for winamp.
Re:It's that Damn Llama's Fault (Score:1)
Re:It's that Damn Llama's Fault (Score:2, Informative)
Re:It's that Damn Llama's Fault (Score:2)
QCD is quite fine, the only downside again is that it has 23,648MB of private memory...
Re:It's that Damn Llama's Fault (Score:2, Informative)
Re:It's that Damn Llama's Fault (Score:2)
Problem solved.
Re:It's that Damn Llama's Fault (Score:5, Insightful)
For starters, you can go to www.oldversion.com and get winamp 2.95 along with a bunch of other versions. The train wreck that was winamp3 was also mostly corrected when they went to winamp5, and if you see from (http://www.winamp.com/player/free.php [winamp.com]) there's a "lite" version that weighs in at 0.85MB, and which supports mp3, wav, ogg, au, midi, cda, aac, etc. Since it doesn't support modern skins, I would suspect that it's probably just a rehash of 2.9x
I don't use the video features of Winamp. They were present in 2.95, but they weren't bloated yet. And I don't think it was a grab at the windows media player headspace. It really seemed like they just tacked it on because it wasn't hard to do. I think it uses the windows renderer and codecs anyway, just without all the crap in WMP.
Anyway, yeah, I still use 2.95 of winamp, just like I still use instant messanger 4.8. I'm open to change; I'm just not going to "upgrade" to a bloated product. What is it with software these days, anyway? Every piece of software tries to be everything to everyone. Ugh.
~Will
Re:It's that Damn Llama's Fault (Score:1)
Re:It's that Damn Llama's Fault (Score:1)
Re:It's that Damn Llama's Fault (Score:1)
maybe because some people use it to archive pictures, or to make picture CDs? i dunno, but it seems to make sense to me.
Re:It's that Damn Llama's Fault (Score:2)
Basically, besides a ton of bug fixes and feature improvements, yes.
I recommend the latest Lite version for those that "just want WA 2", if not only to get fixes and improvements. As one can see from the size, it's far from bloated too.
Winamp 5 == Winamp 2 (Score:4, Interesting)
If you're still using 2.95, you're probably vulnerable to a host of security issues and missing out on a number of useful features (better AAC/mp4 support for one, I believe). I highly reccomend upgrading to 5.13.
Re:Winamp 5 == Winamp 2 (Score:2)
I don't understand why this is a "security risk" anyway. I mean, I guess if your browser is set to automatically accept when a website sends you a file, and automatically run it... then, maybe. Maybe in the same way that you could have your browser set to automatically accept, download, and execute a
Re:It's that Damn Llama's Fault (Score:5, Informative)
Re:It's that Damn Llama's Fault (Score:1)
Re:It's that Damn Llama's Fault (Score:1)
ever heard of emacs?
Re:It's that Damn Llama's Fault (Score:2)
Blame AOL, not Nullsoft (Score:2)
What WinAmp really needs (Score:2)
With a keyboard combination for each function, a remote can be made for the Winamp player. Use a photodiode that decodes the 38KHz signal sent from all TV remotes. Feed this signal into a microcontroller that replicates the WinAmp keyboard combinations according to button pressed on the remote. Plug this microcontroller into the PC in parallel with the ke
Re:It's that Damn Llama's Fault (Score:2)
I do find the Media Library very useful though, so I'm happy enough to have that installed.
Re:It's that Damn Llama's Fault (Score:2, Informative)
That page is old: "Last Updated 8 Apr 2000" and some of the links are broken.
Wikipedia has a nice media player comparison [wikipedia.org] with an "Operating system support" table showing which ones run on Linux.
Re:It's that Damn Llama's Fault (Score:1)
Re:It's that Damn Llama's Fault (Score:2)
Re:It's that Damn Llama's Fault (Score:1)
AOL.
Re:It's that Damn Llama's Fault (Score:2)
"needed to be able to play videos" - plugin
"had to show stupid tripping-on-acid-harmonograph visualizations" - plugin
"had to melt songs together" - plugin
"skins on Winamp that just made my computer shit its gourd" - plugin (modern skins, anyway - classic skins are a collection of static bitmaps)
I still use WinAmp. I also use iTunes. My WinAmp v5 installation looks more or less like my old WinAmp v2 installation because I've disabled and deleted the plugins I didn't want (like vide
Re:It's that Damn Llama's Fault (Score:2)
Hurray! (Score:2)
I actually still use Winamp 2.73. I keep meaning to upgrade to 2.95, but I guess that'll probably happen next time I buy a computer.
I do find the comments others have made about being able to disable/delete in version 5+ the extra useless crap that was added in version 3, and may actually try that. I did stick version 5 on my computer at work, and I definitely appreciate the fact that I can keep my classic skins.
PS - I believe an alpaca
Re:Hurray! (Score:2)
They're not the same species, but can breed. And more succesfully than a horse and a donkey can breed together. Basically, the interfertility test has gone out of favor with biologists; there have been far too many exceptions shown, and indeed some odd hybrids which are more prolific than either parent individually.
Re:Hurray! (Score:2)
One particular group in contention is the red wolf [wikipedia.org]. There are few enough red wolves left that if they are inde
Re:It's that Damn Llama's Fault (Score:2)
I'm waiting for someone to suggest Amarok [kde.org] for Linux. It's most definitely the best player I've ever used.
Oh (Score:5, Funny)
Re:Oh (Score:3, Funny)
Wait'll the next version comes out. They'll be collecting credit card numbers and automatically billing your account so you won't even have to order the enlarging pills they'll simply show up in your mailbox along with the bank notice that your account is empty.
Re:Oh (Score:2)
Re:Oh (Score:1)
So now it... (Score:5, Funny)
Re:So now it... (Score:3, Insightful)
Re:So now it... (Score:1)
Who else has the time?
Re:So now it... (Score:2)
Who else has the time?
Anarchists, bohemians, script kiddies, heathens, zealots...
Download link to latest version. (Score:4, Informative)
That should solve the problem, but... (Score:1, Interesting)
Re:Download link to latest version. (Score:3, Informative)
Change the download URL from this:
http://download.nullsoft.com/winamp/client/winamp5 13_full_emusic-7plus.exe [nullsoft.com]
to this:
http://download.nullsoft.com/winamp/client/winamp5 13_full.exe [nullsoft.com]
Then there's no more Emusic bundle. This url is not listed anywhere on the site.
Quintessential Player? (Score:2)
Note that it says you can rip CDs at full speed. WinAmp requires you to pay to do that.
Vulnerability is optional (Score:5, Informative)
I know you will all correct me if I'm wrong, but if you don't have the .pls as a trigger for Winamp as a plugin, you're not vulnerable. Just set your browser to do something else with .pls (like offer to download). Or trash the file type association or set it for something other than Winamp.
Or if you're a luddite like me and can't stand plugins, prevent them all from working by commenting out the plugins lines in:
C:\Program Files\Common Files\mozilla.org\GRE\ [version here] \greprefs\all.js
This is assuming you use Mz or FF for web on Windows like a sensible person.
Re:Vulnerability is optional (Score:3, Informative)
Or upgrade your Winamp to 5.13.
Re:Vulnerability is optional (Score:3, Insightful)
The grandparent poster's suggestion was assuming the user had Windows because the discussion is about fucking WINAMP, a WINDOWS program. I'd say anyone using Windows who was sensible would indeed use Firefox (or Opera), as the GP said.
You don't need to jump on every comment tha
Move Along (Score:5, Informative)
As usual, nothing to see here...
From ZDNet Asia: The flaw was disclosed on Monday, when Winamp maker Nullsoft, a division of America Online, released an update to fix it. The company posted version 5.13 of Winamp, while Secunia and other security companies issued alerts about the problem. Secunia rated the issue "extremely critical," its highest rating.
Flaw detected and removed. New version of Winamp out. Get the new version. Protected. Not much more difficult than that. Shouldn't there a be a "Software Vulnerabilties" section to Slashdot, where these things could be posted?
Re:Move Along (Score:1, Interesting)
Re:Move Along (Score:5, Informative)
That's certainly an option, however Winamp is a hugely popular media player. I'm sure many Slashdot readers have Winamp, and wouldn't visit such a section regularly, so fairly 'big' stories like this should at least be posted to the front page too. At the very least, I know now that I need to update Winamp.
Re:Move Along (Score:1, Insightful)
Re:Move Along (Score:1)
As soon as the code was found, a patch was released and the company prompted casual users to download the update.
What exactly is the big deal here?
Re:Move Along (Score:2)
Flaw detected and removed. New version of Winamp out. Get the new version. Protected.
Well, there's that much to see - if you use Winamp, you should download the latest version. Now I don't use Winamp, but before I read this article I didn't even know there was a vulnerability, let alone a fix for it. In that sense, there's certainly something here for me to see.
Re:Move Along (Score:2)
Yeah, because Winamp has an autoupdate feature, right?
Foobar2000 (Score:5, Informative)
It's so awesomely customisable, it hurts.
Re:Foobar2000 (Score:2)
Also scales easily to the 10,000 track range while still being fast, and has excellent device connectivity options. Plus it's fully scriptable.
(I have no relation to it other than very happy user)
Re:Now I know.. (Score:2)
how pretty does it need to be?
Re:Now I know.. (Score:2)
Re:Now I know.. (Score:2)
I like it for the very low CPU usage and memory footprint. It easily displays 10,000 tunes on my old P3 450mhz. I reckon an old 233mhz would cope fine with it too.
The customisable, RegEx style playlist display formats are also great (if a little complex).
If you need an MP3 player, that also plays every other type of audio format under the sun, then get Foobar2000. An audio player that just plays aud
(ot) Re:Now I know.. (Score:3, Informative)
1) It fits in with your current theme, so if you're using the toy Windows XP theme, it's going to look like that.
2) Nobody thinks that's a good answer, so if you want a better-looking foobar you'll need Columns UI (which you get if you downloaded Full) and see the faqs [morbo.org] for it. You can get formatting strings here [nub4life.net]. (Azrael is sexy.)
Slashdot runs winamp? (Score:2)
Nice work!
There are other applications to use (Score:4, Informative)
Re:There are other applications to use (Score:2)
Except qmail [cr.yp.to].
Meanwhile the rest of the world thinks that they have to choose between functionality and security and manage to get neither particularly well.
Re:There are other applications to use (Score:2)
Strange (Score:1, Insightful)
A fixed version of Winamp was released even before any of the mainstream media had published their reports. Isn't this rehashing the same?
Winamp 5.12 and older are vulnerable? Wasn't this the point of the original article? What does this have to offer than the same old story when it comes to all software. Upgrade to remove those nasty bugs.
I believe you can find the fixed version here, its been there for a week:
http://www.winam [winamp.com]
Interesting (Score:1)
last exploit I remember of winamp (Score:3, Informative)
Re:last exploit I remember of winamp (Score:2)
Disaster? NSV streams are the ONLY decent internet TV channels I've come across. Some channels like "Freedom TV" have very good content most of the time. Other channels like the "'50's commercials" channel is good for killing a few minutes too. Other channels vary in quality from program to program, but are often interesting, at least. I wouldn't recomend throwing away your TV because of them, but it's a lot better th
Problem? (Score:4, Informative)
The time from exploit to patch was very fast.
better then the length it takes other software developers to release a patch..
http://www.eeye.com/html/research/upcoming/index.
Earlier versions may also be affected. (Score:1, Interesting)
anyone know if this is a 5.x problem? I still use 2.91. couldn't find any reliable info anywhere :(
Re:Earlier versions may also be affected. (Score:2)
Anyway, to answer your queston, so long as you don't have a browser plugin you shouldn't be vulnerable.
Still lite (Score:3, Informative)
you dont HAVE to install the library,
you dont HAVE to install the modern skin support,
remove those 2 and your practicaly using winamp 2.9 with alot of bug fixes and speedups... so i dont see what all the complaining and whining is about
Version 5.13 Already Out (Score:4, Informative)
I don't know what's worse on Slashdot, a dupe, a roland, or old news.
Re:Version 5.13 Already Out (Score:2)
Re:Version 5.13 Already Out (Score:2)
Re:Version 5.13 Already Out (Score:2)
Winamp (Score:1, Flamebait)
Re:Winamp (Score:2)
Re:Winamp (Score:2)
And confusing the issue... (Score:1)
Meh (Score:2)
Just one question (Score:5, Insightful)
If so, why are there currently no OS X viruses yet when we see an active WinAMP exploit?
Food for thought.
Just one more question (Score:2)
Why the Anon post?
The point is that many people claim OS X is not a target for virus writers beccause the numbers are too small. Yet the numbers for Winamp are smaller - so why do we see a virus for Winamp and not for OS X?
The reason it was modded up i
Again? (Score:2)
I moved to a player with a good media library years ago. Even if that's not for you, consider something like Foobar2000.
Re:Again? (Score:2)
Jeez. I use Winamp 2.10 (Score:2)
It works flawlessly. It's teenie-tiny. It's appealing to look at. .
Am I missing something here. . ? The only reason I ever go for updates on software is in the hope that an annoying design flaw is fixed, or that a much-needed feature will be added. When I finally load something onto my machine which does exactly what I want, I sigh with relief and then move on to other interests.
I'm fairly certain guys like me are not well liked around
Re:Why don't they make a law... (Score:3, Insightful)
There is nothing wrong with telling people how to fuck up their computers as well.
There is however something wrong if you use these tools to automatically fuck up other peoples computers.
Re:Why don't they make a law... (Score:3, Informative)
The best thing to do is to use technologies that encourage secure programming. We're talking about garbage collected languages, for instance, that reduce the risks of buffer overflows. And beyond that, start using BSD or Linux rather than Windows. Of course the list goes on and on.
Re:javascript, always (*(&^JAVASCRIPT (Score:1)
of the browsers having this enabled, the "solution" is a non-issue.
The people I've set up who care about safer browsing have accepted my turning off
Javascript in IE6 and leaving it on with Firefox. They are free to choose whichever.
And if a webpage cannot display with either client -- they don't need to got there.