Update your Winamp!

Toggle sidebar Toggle sidebar
A

acemcmac

Lifer
Mar 31, 2003
13,712
1
0
Important part bolded.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


National Cyber Alert System

Technical Cyber Security Alert TA06-032A


Winamp Playlist Buffer Overflow

Original release date: February 1, 2006
Last revised: --
Source: US-CERT


Systems Affected

Microsoft Windows systems with Winamp 5.12 or earlier


Overview

America Online has released Winamp 5.13 to correct a buffer overflow
vulnerability. Exploitation of this vulnerability could allow a remote
attacker to execute arbitrary code with the privileges of the user.


I. Description

Winamp is a media player that is commonly used to play MP3 files.
Winamp 5.13 resolves a buffer overflow vulnerability in how playlist
files are handled. Details are available in the following
Vulnerability Note:

VU#604745 - Winamp fails to properly handle playlists with long
computer names

Winamp contains a buffer overflow vulnerability when processing a
playlist that specifies a long computer name. This may allow a remote
unauthenticated attacker to execute arbitrary code on a vulnerable
system.


II. Impact

By convincing a user to open a specially crafted playlist file, a
remote unauthenticated attacker may be able to execute arbitrary code
with the privileges of the user. Winamp may open a playlist file
without any user interaction as the result of viewing a web page or
other HTML document.


III. Solution

Upgrade

Upgrade to Winamp 5.13.


Appendix A. References

* US-CERT Vulnerability Note VU#604745 -
<http://www.kb.cert.org/vuls/id/604745>
* CVE-2006-0476 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0476>
* National Vulnerability Database (CVE-2006-0476) -
<http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-0476>
* WINAMP.COM | Player | Version History -
<http://www.winamp.com/player/version_history.php>
* WINAMP.COM | Player - <http://www.winamp.com/player>


____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA06-032A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-032A Feedback VU#604745" in the
subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2006 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________


Revision History

Feb 1, 2006: Initial release






-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQ+EN2H0pj593lg50AQL/zQgAqqNNsBwOLdKKb+e98yUUPRSyj38BKA1G
R4nBJ3mO85BvFFqS9NdcPSYH1DgELKhYwOoicEsbX0bmaF+lmr2ClHBO4af6fA3/
bhLksKmf5qtm61SSIuEVyBsXsDwSFQpLACOAkgarW5D5Ii4bW3CDlc9H/4dHYT3j
jiGMSVBmYWGjyEMEVznZ1liURyK6BpVHGQI0bf2/dhSk3150LJzwa0vACjnCJEeB
0Fs/s7xkAPoGDT4PxWxe/KEK03PZpJY6yZhCP6IayJsuO7kMQhzBoROK615X/Od5
ctU6qLPx8VIcyW7b9xVMl0OuZf7R412qd74bmnDfIYeGexxuLMifFg==
=NZIe
-----END PGP SIGNATURE-----
Click to expand...
 
Zanix

Zanix

Diamond Member
Feb 11, 2003
5,568
12
81
Originally posted by: acemcmac
Originally posted by: virtueixi
winamp< itunes
Click to expand...

itunes is a resource hog.

Seriously. Why the hell would someone decide NOT to update?
Click to expand...

bundled adware?

seems like thats what was holding me back...
 
A

acemcmac

Lifer
Mar 31, 2003
13,712
1
0
Originally posted by: Zanix
Originally posted by: acemcmac
Originally posted by: virtueixi
winamp< itunes
Click to expand...

itunes is a resource hog.

Seriously. Why the hell would someone decide NOT to update?
Click to expand...

bundled adware?

seems like thats what was holding me back...
Click to expand...

I have no idea what you're talking about :confused:

I always download the lite-est version I can find with the full media center and none of the modern skins. It's the best client for streaming divx across networks and it runs my home theatre... I love it.
 
Linflas

Linflas

Lifer
Jan 30, 2001
15,395
78
91
From what that says as long as I make my own playlists there is no chance of this occuring. I'll stay with my tried and non-buggy 2.whatever version that I use.
 
S

Soccer55

Golden Member
Jul 9, 2000
1,660
4
81
Thanks for the heads-up. Just installed the "Lite" version and I haven't seen any adware installed.

-Tom
 
So

So

Lifer
Jul 2, 2001
25,923
17
81
Just an FYI for the people who are sticking with 2.xx -- 5.xx is the same base code as 2.xx, but it has a plugin that you can uninstall that should make it nearly identical to 2.xx but without the security holes.
 
Y

yowolabi

Diamond Member
Jun 29, 2001
4,183
2
81
Originally posted by: Linflas
From what that says as long as I make my own playlists there is no chance of this occuring. I'll stay with my tried and non-buggy 2.whatever version that I use.
Click to expand...

From the text above: "Winamp may open a playlist file without any user interaction as the result of viewing a web page or other HTML document. "
 
S

Sureshot324

Diamond Member
Feb 4, 2003
3,370
0
71
Meh, i've switched to foobar2k. I don't about the pretty skins anymore, since the mp3 player is always running in the background and i'm never looking at it.
 
S

Soccer55

Golden Member
Jul 9, 2000
1,660
4
81
Originally posted by: myusername
Fooooooooooobar ftw.
Also, why is AOL releasing an update version? Did AOL buy winamp?
Click to expand...

I believe that they actually bought Nullsoft, but yea, basically.

-Tom
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom