Winamp Media Player Opens Windows to System Hijacking

An attacker could exploit the flaw with a malicious MP4 file to trigger the buffer overflow.

Even as Microsoft prepared to release critical updates for flaws in multimedia frameworks and APIs, proof-of-concept exploit code came out over the weekend that shows how an attacker can target the Winamp multiformat media player, a media player from Nullsoft that runs on Windows and is second only to Windows Media Player in worldwide popularity.

Symantec on Dec. 8 produced a security advisory warning that attackers can take over systems due to a vulnerability in how Winamp processes some MP4 files. Nullsoft has since addressed the issue, which boils down to a buffer overflow problem, in Winamp 5.35. The problem affects Winamp 5.02 through 5.34.

An attacker would exploit the flaw by putting together a malicious MP4 file to trigger the buffer overflow. According to Symantec, the file could include replacement memory addresses, arbitrary code and NOP (No Operation) commands, which are assembly language commands that do nothing besides waste CPU clock cycles.

Such a rigged file could be distributed via e-mail or other means. A successful exploit could give an attacker full control of a system. Symantec hasn't yet seen any exploits in the wild.

Symantec is advising users that if they can't immediately install the patch, they should deploy network intrusion detection to monitor network traffic for suspect activity, including NOP commands and unexplained traffic that may originate from exploitation attempts or a successful system takeover.

Also, Symantec is warning users to stay away from files coming from untrusted or unknown sources—particularly when it comes to using Winamp to load such files.

Nullsoft's patch can be downloaded here.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.