Windows XP, Winamp Security Flaws Patched

Internet security consultants Foundstone Research Labs has issued a
‘critical’ warning that the popular MP3 and WMA digital music formats can be used to
attack users of Windows XP and Nullsoft’s Winamp because of buffer
overflow vulnerabilities in the way those file formats are handled.

Microsoft confirmed the hole in its 72nd security bulletin and urged users of the Windows XP operating system to
immediately apply a patch.

Foundstone tagged its highest warning label on the vulnerability, warning
that it is very easy to exploit. “The MP3 does not need to be played, it
simply needs to be stored in a folder that is browsed to, such as an MP3
download folder, the desktop, or a NetBIOS share. This vulnerability is also
exploitable via
Internet Explorer by loading a malicious web site. Microsoft’s WMA files
also suffer from a similar vulnerability,” the company warned.

It said the vulnerability can be exploited to allow an intruder to take
complete control over a user’s machine. In Windows XP, Foundstone said
malicious code can be shuttled through the hole when a user simply hovers a
cursor hover over the file icon for the offending MP3 file or opens a folder
where the file is stored.

If a user’s system is compromised, Foundstone said an attacker would get
complete control of the PC to run tasks like creating, modifying, deleting
information or even reconfiguring the entire system, reformatting the hard
drive or executing other harmful programs.

“Upon folder access, Explorer would execute the code contained within the
file attributes. The code could
do anything from running a reverse shell to infecting other MP3 files on the
computer.”

The security firm said users of Windows 2000 or other non-Windows XP
operating systems were unaffected, noting that even MP3’s with corrupt
attributes will play fine on those operating systems with most players.

It also found two additional attack vectors for CP users via a web
browser as well as the Microsoft Outlook e-mail client. In those scenarios,
a malicious website could contain an IFRAME of a NetBIOS share that holds a
malicious MP3 file.

“Similarly, an email could be sent to an Outlook user containing HTML
that references the NetBIOS share. “Depending on Outlook security settings
and preferences, this attack may not be directly exploitable via an email
message. However, if the user browses to a malicious web site with Internet
Explorer directly, the attack will work regardless of the Internet Explorer
security settings,” Foundstone warned.

The flaw comes at a crucial time for the Microsoft, which is aggressively
moving to position the XP operation system as a digital
entertainment hub
for end users. Just this week, the company rolled out
the Plus Digital Media Edition and final versions of the popular MovieMaker
and Windows Media Player (WMP) software, products that support MP3 and WMA
file formats.

Foundstone also warned that Nullsoft’s Winamp media player, which is owned by AOL
Time Warner , also contained the bug. “One buffer overflow
exists in Winamp 2.81 (latest 2.x release) and two buffer overflows exist in
Winamp 3.0 (latest 3.x release),” Foundstone said, urging users of the
popular media player to download fixes urgently.

Both Winamp versions 2.81 and 3.0 are vulnerable, the company said. If a
long Artist ID3v2 tag is present within an MP3, Winamp 2.81 will crash
yielding privileges immediately upon loading the MP3. In the newest version
3.0, there are two media library overflows. If an MP3 is loaded into Winamp
3.0 that has an ID3v2 tag, the Artist and Album fields of the ID3v2 tag are
displayed within the Media Library window of Winamp3, the company said.

An attacker could create a malicious MP3 file, that if loaded via the
Media Library window, would compromise the system and allow for remote code
execution,” Foundstone said, noting that an attacker could create a
malicious MP3 file that exploits either the overflow of the Artist ID3v2 tag
or the Album ID3v2 tag (or both). “For either overflow to occur, the user
has to attempt to load the MP3 file from the Media Library by at least
single clicking on either the MP3 via the Artist or Album window.”

Like Microsoft, Nullsoft confirmed the flaws and released fixes for both
versions of its Winamp software.

The specter of using digital music files as hacking tools raised eyebrows
in the peer-to-peer space, especially with the controversial plan by the
Recording Industry Association of America (RIAA) to legally
target file-sharers
in its fight against music piracy.

In September, a House Judiciary subcommittee held a raucus
hearing
on the controversial anti-piracy file sharing bill which would
give the RIAA legal powers to hack into a user’s PC to find
copyright-protected digital music files.

The bill was sponsored by Reps. Howard Berman (D-Calif.), and Howard
Coble (R-N.C.), Lamar Smith (R-TX), and Robert Wexler (D-FL).

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web