Beware That WinAmp Skin
Page 1 of 1
The popular skinning feature in Nullsoft's WinAmp media player has left the door wide open for malicious attackers to hijack PCs.
Security researchers at K-Otik discovered the vulnerability
and released details of a "Skinhead" zero-day exploit that is already
spreading in the wild. The exploit, which targets WinAmp versions 3.x
and 5.x, is being used to forcefully install spyware
Secunia has tagged the flaw as "extremely critical," its highest rating.
WinAmp skins have a huge following because they allow users to adopt colorful, customizable and interchangeable sets of graphics that change the look and feel of the software.
According to an advisory from Secunia, the problem is caused due to insufficient restrictions on WinAmp skin zip files (.wsz). It means a malicious Web site could use a specially crafted WinAmp skin to place and execute arbitrary programs.
Internet Explorer browser, this
can be done without user interaction.
Analysis of the zero-day exploit shows that attackers are using an
The vulnerability has been confirmed on a fully patched system with WinAmp 5.04 using Internet Explorer 6.0 on Microsoft Windows XP SP1.
PivX Labs, which has also analyzed the attack vector, said that a user visiting a Web site that hosts the Skinhead exploit will have their browser redirected to a compressed WinAmp Skin file which has a WSZ file extension, but which in reality is a ZIP file.
The company said the default installation of WinAmp registers the WSZ file extension and includes an instruction to Windows and Internet Explorer to automatically open the files. It leads to the fake WinAmp skin being automatically loaded into the media player.