WinAmp flaw could compromise enterprise security

Internet users are at risk from a previously undiscovered flaw in the popular WinAmp media player, which attackers are actively...

Internet users are at risk from a previously undiscovered flaw in the popular WinAmp media player, which attackers are actively using to spread malicious code on Windows desktops, according to security researchers.

A problem in the way WinAmp handles "skins" - used to customise the appearance of the application - means attackers can use a specially crafted skin file to execute code on any PC with WinAmp installed.

In Internet Explorer, users merely need to visit a malicious website for the code to be automatically downloaded and executed, according to advice from French security firm K-Otik.

While not as widely used as Windows Media Player or RealPlayer, WinAmp has an installed base of several million, including on corporate desktops, according to the company.

The vulnerability has been confirmed on a fully patched Windows system with WinAmp 5.04 using Internet Explorer 6.0 on Microsoft Windows XP SP1, said Danish security firm Secunia in its own warning.

Version 5.04 was released in late July. Earlier versions of WinAmp 5.x and 3.x are also vulnerable, K-Otik said.

The bug is particularly dangerous because it is already being exploited before the software supplier has had a chance to patch, making it what is known as a "zero-day" exploit.

In June, organised criminals managed to spread malicious code to many Windows desktops via zero-day flaws in Microsoft Internet Information Services (IIS) server and Explorer browser, in an attempt to steal financial information from users of banking sites, security experts said.

K-Otik said it has been receiving reports of exploits since late July, but initially thought the problem was in Explorer.

"This exploit has been used in compromising machines via Internet Relay Chat (IRC) channels [spreading links to] malicious websites, which installed trojans and spyware," K-Otik said.

However, an exploit could be carried out via any method of luring users to a web address, the company said.

Exploitation is carried out through a web page pointing to a malicious skin file (.wsz or .wal) which, once automatically downloaded, launches an XML document capable of executing programs in Windows' "local computer zone", bypassing the greater security restrictions on the "internet zone".

America Online has said it is aware of the bug, but has not yet released a fix. In the absence of a patch, Secunia and K-Otik both recommended switching to another product.

Matthew Broersma writes for

Read more on IT risk management