Winamp Squashes Critical Security Bug

Amid doubts about its commitment to the multiformat music and video player, America Online's Nullsoft unit quietly rolls out a major security update.

America Online Inc.s Nullsoft unit has quietly rolled out a new version of the popular Winamp media player to plug multiple critical flaws that put users at risk of code execution attacks.

The fixes were included in Winamp version 5.08c after a warning was issued last November by private research firm

The bug was described as a boundary error in the "IN_CDDA.dll" file which could be exploited by a malicious hacker using a malformed .m3u file.

"When hosted on a Web site, these files will be automatically downloaded and opened in Winamp without any user interaction. This is enough to cause the overflow that would allow a malicious playlist to overwrite EIP and execute arbitrary code," warned.

Nullsoft said the new Winamp version also fixes a critical vulnerability in "in_mp4.dll," "enc_mp4.dll" and "libmp4v2.dll."

Its the second time in recent months that Nullsoft has been forced to plug a critical vulnerability in its skinnable, multiformat music/media player.

It also comes amid doubts about America Onlines commitment to the product created by Justin Frankel and acquired in 1999 for about $100 million.

Late last year, the last members of the original Winamp team resigned from AOL, leaving only a handful of employees to push out minor updates.

However, a spokeswoman for the Dulles, Va.-based AOL insisted that Winamps unique community appeal is an important part of the media companys music and radio offerings.

"We are currently working on the road map for the coming year with new resources and development plans as well as ongoing programming and promotions. We continue to make regular updates and fixes to the product," the spokeswoman told

She said the Winamp player has about 4.5 million unique users per month and that the premium version, which offers ripping and burning features, is selling very well, surpassing 70,000 units sold.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.