WinXP and WinAmp Vulnerable to Malicious MP3s

mypenwry writes "Foundstone, a Mission Viejo, CA security services company, is reporting several vulnerabilities that would allow malicious code embedded in MP3 and WMA files to be executed via WinXP and WinAmp. WinAmp versions 2.81 and 3.0 are vulnerable to buffer overflows via certain long ID3v2 tags when MP3 files are loaded. More troubling is the WinXP vulnerability: A buffer overflow exists in Explorer's automatic reading of MP3 or WMA (Windows Media Audio) file attributes in Windows XP. An attacker could create a malicious MP3 or WMA file, that if placed in an accessed folder on a Windows XP system, would compromise the system and allow for remote code execution. The MP3 does not need to be played, it simply needs to be stored in a folder that is browsed to, such as an MP3 download folder, the desktop, or a NetBIOS share. This vulnerability is also exploitable via Internet Explorer by loading a malicious web site. Explorer automatically reads file attributes regardless of whether or not the user actually highlights, clicks on, reads, or opens the file. Windows XP's Explorer will overflow if corrupted attributes exist within the MP3 or WMA file. Microsoft has issued a fix for this vulnerability. Nullsoft has posted fixed version of WinAmp 2.81 and 3.0 on their web site."

Buffer overflow yet again

[graikor]

Why hasn't Microsoft just changed the way it handles buffers to eliminate the weekly discovery of yet another buffer overflow exploit that compromises security? It's obvious to just about everyone else that any buffer that doesn't ignore excessive input will be a problem in the future - why does Microsoft insist on treating each one of these issues as though it was a totally new problem instead of making a global change to secure the OS from this kind of hack?

won't affect most people

[tps12]

This is more of a curiosity than any sort of danger. Most of us, when we get a new mp3 file, give it a listen to make sure it's not mislabeled, doesn't cut off in the middle of the song, and sounds okay. We throw out or fix the ones that aren't up to our standards. So the number of people who would let one of these dangerous mp3s just sit there and be scanned is probably pretty small. And as is usually the case when something like this is discovered, they probably deserve what they get for being such idiots.

It's a sad day when...

[Anonymous Coward]

...a machine can be hacked through the mp3 player. This is all not so Windows centric either, many software developers need to get a clue.

So click the update button

[AKnightCowboy]

Click the Windows Update button and reboot and you're fixed. Or if you're like many people, the fix has already installed during an automatic update check last night. This isn't really news unless Slashdot is merging with Bugtraq (Slashtraq? Bugdot?). Are we just posting this to bash Microsoft once again? Automatic updates were one of the best new features they added to Windows and they make life much easier. Oh and no, I don't wrap tinfoil around my head worrying whether Microsoft is going to invade my PC and lock me out of it.

How long before...

[bryhhh]

we see a worm exploiting this, remember the last worm [symantec.com] that was executed without even opening a file.

Versions??

[bconway]

Nullsoft has posted fixed version of WinAmp 2.81 and 3.0 on their web site."

Is there a reason they haven't released a new version with the bugfix instead of just uploading a new copy with the _same release number and date_? Both versions are listed as released in early or middle August, and there's no bugfixes listed anywhere on the site in regards to this. Site [winamp.com]. Are they trying to hide that it's been fixed, or just don't want anyone to figure it out?

WILL affect most people

[gosand]

This is more of a curiosity than any sort of danger. Most of us, when we get a new mp3 file, give it a listen to make sure it's not mislabeled, doesn't cut off in the middle of the song, and sounds okay. We throw out or fix the ones that aren't up to our standards. So the number of people who would let one of these dangerous mp3s just sit there and be scanned is probably pretty small. And as is usually the case when something like this is discovered, they probably deserve what they get for being such idiots.

I don't think so. I know people who download a lot of stuff, and if you have it set up to download 100 MP3s overnight, your system could be compromised by morning. Are you going to listen to those 100 MP3s first thing in the morning?

The kicker is that the odds you get compromised go up greatly if someone seeds Kazaa, or even a web page, with an infected MP3 file. They can see who is downloading it so they know the IP to attack. On a web page, they could get your IP out of the logs. I never thought an MP3 file would leave a system vulnerable, but I guess that is why this is a pretty scary vulnerability - nobody else would either.

Microsoft Security

[jellomizer]

This type of stuff blows my mind. What the heck is MS doing underneth there code. They are Music File When played if altered you should get static at the worse. You take the MP3 get the Lable information if it has it. Decodes the rest of the information makes converts it to your sound card and you here music. I see no good reason for the OS to really get involved except for opening and reading the file and allowing it to the sound card. I think MS should stop putting in these backdoors that hackers find and use.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Buffer overflow yet again

[stratjakt]

>> why does Microsoft insist on treating each one of these issues as though it was a totally new problem instead of making a global change to secure the OS

Palladium

Oh wait, you don't want that.

So what do you want?

How does a buffer overflow allow code execution?

[og_sh0x]

Thanks to Boatboy for the explanation of buffer overflows [techtarget.com], but what I've never understood about buffer overflows is how it allows you to execute arbitrary code? Can anyone explain?

llama

[xavii]

Winamp it whips the llama's .... FORMAT C: ?!!??!? WAH?

my vinyl never buffer overflowed, you just couldn't dance too close to the record player.

CERT Adivsory: Auto Advance track on All models and versions of record players.

Proof of concept: Jumping up and down.

Patch: Upgrade to CD's but not mp3's.

The Next Nimda.

[Deathlizard]

And I thought Nimda was bad.

When all of the college students here on campus had read/write shares on the network, Nimda Spread at an alarming rate, Especially since WinXP Home decided that you SHOULD have your Shared Documents folder open for read/write access after running one of those networking wizards.

I could only imagine the hell a Modified Nimda would be if it can now infect mp3 files. It wouldn't even have to spread infected .eml files anymore. you would just see a new MP3 in your read/write network share with thousands of other MP3's so you would never find it and it would infect all of your MP3's in your read/write network share. Once you open the folder to pick a song it runs and infects all of your mp3's on the PC, then goes out and proceeds to infect every mp3 it can write to on the network that has read/write shares and the process starts all over again while it formats your hard drive 7 days later.

It's the RIAA Dream come true :P

Is iTunes vulnerable?

[tbmaddux]

No mention of iTunes anywhere. Am I vulnerable? What about my iPod? Were they tested as well? Couldn't find any mention at the links provided and no test mp3s to try out.

Give me full disclosure...

Re:Subject : Name : AC

[Blkdeath]

I'm sure there are exploitable buffer overflows in Vorbis too but as the format is so little used (relatively), hackers ain't looking for them. The day Vorbis is more popular than mp3 is the day the hackers change what they're targeting.

Much like people used to claim in days of old that certain message base formats (BBS / FTN message 'echoes') were faster than others, this is also a bit of rubbish. The format doesn't contain vulnerabilities; the players that implement the format have vulnerabilities. It is, in point of fact, perfectly feasable to assume that the same, if only slightly different vulnerability could possibly be exploited with the Ogg Vorbis format.

Unchecked buffers (read: lazy/braindead programming and poor code audits) are at fault here. MP3 is merely the current carrier.

But you're right; it is a feeble excuse to switch formats. It would be more apt to suggest that people switch to a different [musicmatch.com] player [xmms.org], or use a different [apple.com] operating [linux.org] system [freebsd.org], but I'm not going to do that.

Build #'s and Winamp strangeness

[haplo21112]

I don't mean to be a pain in the ass here...but if the code has been patched and rebuilt on a different day shouldn't we at least see a different minor version in the help? I can understand fine at 488 is the code freeze version for the 3.0 release however is a bug has been patched and a new release has been done should this be like 3.01(3.0.1) or 488a just so the its more immediately obvious this is an updated version from the 3.0 I have. If I didn't know about the bug, and I went to the site to see if there is a newer version, I wouldn't get the fixed version cause I still see 3.0! Build dates are meaningless...and even less so if they are not even posted on the download page....

What if this IS the plan?

[burgburgburg]

Convenient that downloaded "pirated" music files are now potential attack vectors. So much more effective an argument for DRM ("If it was legal and properly signed, you'd have nothing to worry about.").

I wonder if the EULA on the MS patch for this will be overreaching and invasive?

CDDB

[laigle]

The twitchy part is, even most people who rip their own music these days get the ID tags via some free database site, and those often take submissions. How hard would it be for somebody to just submit a bunch of malicious ID tags for popular albums?

Re:Buffer overflow yet again

[__aanonl8035]

I just wanted to point people to
a project that tries to catch buffer
overflows under linux.

freshmeat entry [freshmeat.net]
homepage [avayalabs.com]

Question for slashdot

[Raul654]

My advisor, DL Mills [udel.edu] (the guy who invented NTP), said something a while back which this article somewhat reminds me of. He said that back in the day, people wrote operating systems in assembly. But the thing is, they just got way too f****** big and couldn't be maintained, even with the best of care. He said that today's operating systems are getting to that point as well, and maybe it's time for a new level of abstraction. Stuff like exception handling (amoung which automated buffer checking should be one), garbage collection, etc, should be built into the language, and leave the programmer to concentrate on more important things.

So my question is, does anyone have any idea what this "new level of abstraction" might be?

Re:Subject : Name : AC

[greenrd]

Any code that reads input from "untrusted" sources (you can argue about what that includes, but it definitely should include "arbitrary, random Internet sites") should be "bulletproofed" against every theoretically possible input. But no, the culture of programming is not set up to do things that way, in too many *cough*MS*cough* cases.

Conspiracy theorist?

[phorm]

Winamp doesn't belong to MS, so we're probably just warning people.
I'm not sure which is worse:
a) Those that imagine everything MS does is attempt to rule the world
b) Those that imagine every posting mentioning a bug in MS is a covert attack.

Considering the amount of geeks here that are into Mp3's, or those that maintain networks (with users who play downloaded Mp3's, permitted or not), this warning sounds like it fits well on slashdot.

Re:In defense of Microsoft...

[yoz]

Of course when there is no shareholder value to increase, priorities change. For examples of how this system works, please observe GNU/Linux.

Or, more accurately, please observe GNU/Hurd which is a project several years old that is still nowhere near to a 1.0 release.

Microsoft releases buggy software. So does Redhat. So does Debian. In fact, anyone who releases any reasonably complex code (and an entire operating system with loads of supporting packages is pretty damn complex) and claims that their code is entirely bug-free is lying. As has been pointed out elsewhere in this thread, Redhat 6 had a remote root exploit in its default install. Even OpenBSD, that bastion of religious security auditing, discovered recently that it was distributing a package with a hole in it.

The simple reason is that you have to put up with releasing buggy software because otherwise you will never release. No QA system will be able to get rid of all the bugs. The best you can do is prioritise the bugs you have and try and get the most significant ones fixed in time for a reasonable shipping date.

In terms of how good/buggy MS's code is, I think it's fantastic in some areas and terrible in others. I think that they are relatively weak and often irresponsible when it comes to security but they are learning. They share the same problems as any massive software development organisation, which is that as you grow it gets harder to enforce regimented coding practices. God knows they really have no excuse for bounds-checking errors (given the number of implementations of safe arrays they have lying around) other than policing this stuff is very hard, especially when it comes to legacy code.

Besides, as I said earlier, OSS projects have security holes all the time. They just tend to be patched faster and have a smaller impact (due to smaller, more savvy audiences)

-- Yoz

Re:XMMS too.

[Oliver Defacszio]

A brief synopsis of what just happened: an OSS user waited for the commercial vendors to do the legwork of finding a particular bug, then spent two minutes looking to see if he was affected too and then released a patch that was still later than that of the commercial vendor.

Sounds to me like the XMMS bug would never have been found (or at least not for a long while) if not for Microsoft/Winamp. You must be proud.

Re:In defense of Microsoft...

[yoz]

Note that I said tend to. I recall that Mozilla had a couple of nasty exploits that were known about for months before being properly fixed.

There's also the fact that "issuing a patch" can be an entirely different process for two different projects. OSS patches are usually:

1. a slight change to the source
2. some quick testing on a couple of machines
3. issue of a source patch file through the usual channels
4. updated tarballs and builds

whereas, in MS's case, it probably looks more like:

1. bug triage by project leads
2. reassignment of busy coders
3. slight change to the source
4. create binary patch for Windows Update along with standalone exe
5. send patch to QA lab for testing across hundreds of different setups
6. once back from the QA lab, start the process of fast-tracking the patch to WU
7. WU
8. Updated builds pushed to distribution

So yes, OSS is often faster, but you can see why. OSS is better able to handle a patch breaking something for some users, because it'll probably only be installed by power users who'll put up with it and know how to roll back, and the patch can be followed by a better patch. If a WU patch breaks something, even for only 10% of users, it's potentially disastrous because it's going out to everyone and 10% is still several million.

Re:Pathetic

[Reziac]

Thanks, that's good to know.

Seems to me the solution is to whack budding programmers' knuckles with a ruler until they get in the habit of using bounds checking with each and every buffer their program requires, written on the spot and not tacked on as an afterthought. But considering that probably half the coders out there are self-taught and still have whatever good or bad habits they started with.. *sigh*

Linux Security - Re:Buffer overflow yet again

[moncyb]

There is a kernel level patch so that nothing can be executed in the stack, but a lot of people don't seem to want it. Actually, I think there are two competing patches. One of them is called Openwall [openwall.com].

There are also libraries to combat this sort of problem as well. Such as the one another poster listed...

Re:Question for slashdot

[frank_adrian314159]

does anyone have any idea what this "new level of abstraction" might be?

Lisp.

There's even been an OS built in the language. Seemed to work just fine. Problem was, that in those days, you needed special purpose hardware to run a Lisp-based OS on. You don't anymore, but the code has been lost to people who could do something useful with it in the mist of time and bankruptcy. Google for Genera and OpenGenera. Hint - once the base code is built into the system, you cannot have buffer overflows, uncaught exceptions, or uncaught arithmetic overflows. It's a good environment (as I can attest, having it running on my Symbolics Lisp Machine at home).

Oh yeah, they have a great OO database, decent graphics, and all of the web crap you'll ever need, too.

Re:Pathetic

[ergo98]

Seems to me the solution is to whack budding programmers' knuckles with a ruler until they get in the habit of using bounds checking with each and every buffer their program requires, written on the spot and not tacked on as an afterthought.

There is a downside to bounds checking though: The natural evolution of the idea is a "managed" model like .NET or Java- While they offer safe evirons, the extensive checking that they bring along with them (including garbage collection which is, to me, an absolutely ridiculous idea) is computationally costly. This is the reason why a Java applet on your super faster Athlon 2400+ feels like you're running a 486.

But considering that probably half the coders out there are self-taught and still have whatever good or bad habits they started with..

This has nothing to do with being self-taught or not: It has to do with the standards and processes that an organization sets on its code. It also has to do with a boss saying "I want all these features by next week as the top priority!" in reply to "I should probably spend some time hardening the code and auditing it for potential exploits" (a very, very common scenario).

Curious...

[ColeNielsen]

I've been a winamp user since windows 95 -> I've been a Micro$oft user since DOS -> I still use winamp because it's small, takes up nearly no memory and doesn't tax my processor with the right settings. It doesn't surprise me that this [vulnerability] was discovered, I knew that I could download an mp3 and it could harm my computer back in the day so I guess that someone finally decided to announce that they were unsafe??

If the name Micro$oft appears on a product, it's guaranteed unsafe... if you are running a product on a Micro$oft product, it's guaranteed unsafe.

I know Linux isn't perfect[to some it is], I know MAC OS isn't[to some it is], I know Windows isn't perfect[If anyone thinks it is, get informed then talk to me] Each have their own good and bad points but one of these takes the bad points from the other two, multiplies them by 10 and puts a price tag on it that is insane compared to the other two... GUESS WHO?