We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Winamp update addresses three remote code execution vulnerabilities

Winamp 5.623 fixes vulnerabilities that can be exploited via maliciously-crafted AVI files

Nullsoft has released Winamp 5.623, a new version of its popular media player application, in order to address three vulnerabilities that could allow remote attackers to execute arbitrary code on people's computers.

The security flaws were discovered by Dmitriy Pletnev from vulnerability management firm Secunia and an independent researcher named Hossein Lotfi, who reported his finding through the company's vulnerability coordination reward program (SVCRP).

All three vulnerabilities were confirmed in Winamp 5.622, but older versions could also be affected. They are located in the application's in_avi.dll and in_mod.dll libraries and can trigger heap-based buffer overflows.

An attacker could exploit these vulnerabilities by tricking victims into opening specially crafted AVI or Impulse Tracker (IT) files. The remote attack vectors include malicious files stored on network shares and WebDAV resources, but also rogue playlists hosted on the Web.

"The vulnerabilities can be remotely exploited by e.g. on a website hosting a .m3u playlist, which is automatically opened and played by Winamp when viewed," said Carsten Eiram, Secunia's chief security specialist.

Winamp 5.623 also fixes other non-security-related bugs in MP3, MP4, AAC and FLAC encoding and decoding components. In addition, it contains miscellaneous tweaks, improvements and optimizations.

Users should keep all of the applications installed on their computers up to date, especially those that can be targeted through browsers. Free tools like the Secunia Personal Software Inspector track thousands of programs and can alert users when security patches are available for them.

IDG UK Sites

Android M / Android 6.0 UK release date and new feature rumours: Android M live video stream -...

IDG UK Sites

Why I think the Apple Watch sucks and you'd be mad to buy it

IDG UK Sites

Ben & Holly's Game of Thrones titles spoof is delightfully silly

IDG UK Sites

Jony Ive 'semi-retired' into new role: kicked upstairs as Chief Design Officer