The popular skinning feature in Nullsoft’s WinAmp media player has
left the door wide open for malicious attackers to hijack PCs.
Security researchers at K-Otik discovered the vulnerability
and released details of a “Skinhead” zero-day exploit that is already
spreading in the wild. The exploit, which targets WinAmp versions 3.x
and 5.x, is being used to forcefully install spyware
and Trojans on infected systems.
Secunia has tagged the flaw as “extremely critical,” its highest
rating.
WinAmp skins have a huge following because they allow users to adopt
colorful, customizable and interchangeable sets of graphics that change
the look and feel of the software.
According to an advisory from Secunia,
the problem is caused due to insufficient restrictions on WinAmp skin
zip files (.wsz). It means a malicious Web site could use a specially
crafted WinAmp skin to place and execute arbitrary programs.
With Microsoft’s Internet Explorer browser, this
can be done without user interaction.
Analysis of the zero-day exploit shows that attackers are using an
XML
HTML document using the “browser” tag and get it to run in the “Local
computer zone”. “This can be exploited to run an executable program
embedded in the WinAmp skin file using the “object” tag and the
“codebase” attribute,” Secunia explained.
The vulnerability has been confirmed on a fully patched system with
WinAmp 5.04 using Internet Explorer 6.0 on Microsoft Windows XP SP1.
PivX Labs, which has also analyzed the attack vector, said that a
user visiting a Web site that hosts the Skinhead exploit will have their
browser redirected to a compressed WinAmp Skin file which has a WSZ file
extension, but which in reality is a ZIP file.
The company said the default installation of WinAmp registers the WSZ
file extension and includes an instruction to Windows and Internet
Explorer to automatically open the files. It leads to the fake WinAmp
skin being automatically loaded into the media player.
America Online owns Nullsoft.