In the early days of the MP3 era, many users’ first
player was Winamp. If you happen to be using Winamp
today, you better upgrade now to prevent a hacker from
stealing your tunes and possible a whole lot more.
US-CERT has issued an advisory for Winamp related to a buffer overflow vulnerability that could allow a hacker to execute arbitrary code.
The vulnerability stems from the way that Winamp handles playlists with long computer names. Of particular note is that not a whole lot of user interaction is required for a hacker to take advantage of the vulnerability.
In order to take advantage of the vulnerability, the
hacker will have to trick the user into opening the
maliciously crafted playlist file. According to the
advisory, this could happen without any user interaction
as the result of viewing a Web page or other HTML
document.
Users are advised to immediately update to Winamp
version 5.13 which corrects the flaw.
Winamp was originally created by Nullsoft, which was
bought by America Online in 1999. It competes with Microsoft
Windows Media Player, Real Networks Real Player and
Apple’s iTunes.
The current vulnerability is not the first time a
security flaw has appeared in Winamp. In 2004 a zero-day exploit targeted Winamp skins.
Winamp’s media peer have of course also been exposed to have security flaws over the years. Most recently, iTunes users were warned to update their QuickTime software in order to protect against a security vulnerability.