We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Critical Winamp bug threat to PC users

Hack exploits Winamp music player to hijack PCs

Security companies have warned Winamp users that the music player application has a bug that could give attackers the means to hijack PCs.

According to Danish vulnerability tracker Secunia and eEye Digital Security of California, the Winamp 5.34 plug-in that decodes MP4 files is flawed. If a specially crafted MP4 file is fed to the player, an attacker could compromise the machine and execute his own malicious code remotely.

Secunia rated the bug as ‘highly critical’, its second-most-dire level in a five-step scoring system; eEye simply dubbed it as a ‘high’ risk.

"A media player remote code execution vulnerability has a very high impact since the source of the malicious payload can be any site on the internet," said eEye's alert. "An even more critical problem is generated when clients are administrators on their local hosts, which would run the malicious payload with administrator credentials."

Windows XP users, for example, typically run the operating system using an administrator account.

One bright spot, said eEye, was that because Winamp does not open MP4 files embedded in a website, attackers would have to dupe users into launching the malicious file. The most likely delivery vehicles: MP4 files attached to email messages or a link to a site from which the file could be downloaded. "This could add a level of suspicion to the exploit delivery, but since music sharing is such a common activity, the suspicious activity might be dismissed by the user," said eEye.

With a patch yet to come from Nullsoft, eEye recommended that users disassociate the .mp4 extension from Winamp by choosing Options/Preferences, then General Preferences/File Types and deselecting MP4.

www.computerworld.com


IDG UK Sites

Samsung Galaxy S6 release date, features and specs rumours: When will the Galaxy S6 come out?

IDG UK Sites

Why people aren't upgrading to iOS 8: new features are for power users, not the average Joe

IDG UK Sites

Free rocket & space sounds: NASA launches archive of interstellar audio on SoundCloud

IDG UK Sites

iPad Air 2 review: Insanely fast and alarmingly thin. Speed tests, camera tests, beautiful...