Winamp Media Player Opens Windows to System Hijacking

By Lisa Vaas  |  Posted 2007-12-11 Print this article Print

An attacker could exploit the flaw with a malicious MP4 file to trigger the buffer overflow.

Even as Microsoft prepared to release critical updates for flaws in multimedia frameworks and APIs, proof-of-concept exploit code came out over the weekend that shows how an attacker can target the Winamp multiformat media player, a media player from Nullsoft that runs on Windows and is second only to Windows Media Player in worldwide popularity.

Symantec on Dec. 8 produced a security advisory warning that attackers can take over systems due to a vulnerability in how Winamp processes some MP4 files. Nullsoft has since addressed the issue, which boils down to a buffer overflow problem, in Winamp 5.35. The problem affects Winamp 5.02 through 5.34.
An attacker would exploit the flaw by putting together a malicious MP4 file to trigger the buffer overflow. According to Symantec, the file could include replacement memory addresses, arbitrary code and NOP (No Operation) commands, which are assembly language commands that do nothing besides waste CPU clock cycles.
Such a rigged file could be distributed via e-mail or other means. A successful exploit could give an attacker full control of a system. Symantec hasn't yet seen any exploits in the wild. Symantec is advising users that if they can't immediately install the patch, they should deploy network intrusion detection to monitor network traffic for suspect activity, including NOP commands and unexplained traffic that may originate from exploitation attempts or a successful system takeover. Also, Symantec is warning users to stay away from files coming from untrusted or unknown sources—particularly when it comes to using Winamp to load such files. Nullsoft's patch can be downloaded here. Check out's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.
Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel