Security Flaw in Winamp Discovered
 

A vulnerability has been reported in Winamp, which can be exploited by malicious people to compromise a user's system.

The problem is caused due to insufficient restrictions on Winamp skin zip files (.wsz). This can e.g. be exploited by a malicious website using a specially crafted Winamp skin to place and execute arbitrary programs. With Internet Explorer this can be done without user interaction.

An XML document in the Winamp skin zip file can reference a HTML document using the "browser" tag and get it to run in the "Local computer zone". This can be exploited to run an executable program embedded in the Winamp skin file using the "object" tag and the "codebase" attribute.

NOTE: The vulnerability is reportedly being exploited in the wild.

The vulnerability has been confirmed on a fully patched system with Winamp 5.04 using Internet Explorer 6.0 on Microsoft Windows XP SP1.

Posted from Neowin

Winamp 5.05 has been released which addresses this vulnerability.

http://forums.winamp.com/showthread....hreadid=191604
http://forums.winamp.com/showthread....hreadid=190902

This exploit was both discovered and patched last week, by the way. :)

<valley girl>
That is SO last week. Like, get with the time MegaRock.
</valley girl>

Sorry , this has been dealt with in numerous other threads, most noticeably this one...

http://forums.winamp.com/showthread....hreadid=190902

And this front page news article.
http://www.winamp.com/about/article.php?aid=10605

And as the issue has now been resolved with the release of 5.05 this topic is moot, and locked.

I was going to lock this, but got distracted. When I refreshed. Bam.