Go Back   Winamp & SHOUTcast Forums > Winamp > Winamp Discussion

Reply
Thread Tools Search this Thread Display Modes
Old 27th August 2004, 10:33   #41
ampewin
Member
 
Join Date: Mar 2004
Posts: 68
How do you use your PC? As administrators?

I am using my PC as a user (with full control of the winamp and games directory of course). So although any malicious program could possibly delete my user files or change my user settings it wouldn't be able to make any system wide change. And since most spyware (or active-x controls) want to change system wide settings they will not be able to istall or run properly due to limited credentials. And all the changes they would cause they would affect only the current user (in other words nothing that can't be corrected by backing up the files and deleting the user profile)

Anyway just my tip on increased security.

As for the exploit it sounds pretty serious. Imagine in the report if you replace winamp with WMP the havoc that this vulnerability could have caused! Judging from the secunia report the problem starts from a "browser" tag in an XML file that references an HTML file etc.

Is it possible to "whitelist" the XML files? I mean have winamp.exe parse the XML file and allow only the tags that could have legal function (eg <bitmap>) and not allow any tags that would not have legal use. I may be wrong but that's how I think of it.
ampewin is offline   Reply With Quote
Old 27th August 2004, 11:59   #42
Manip
Junior Member
 
Join Date: Dec 2003
Posts: 1
I just want to say, I agree that the links should be removed.. but the post about how it works SHOULDN'T. I hope you got the posters permission on that one. I thought NullSoft where surposed to be a 'good guy' software company and would expect you guys to solve the problem(s) not to simply hide them and pretend they have gone away. Anyone who would want to develop them has already got the information your censoring..
Manip is offline   Reply With Quote
Old 27th August 2004, 12:05   #43
CraigF
Passionately Apathetic
Administrator
 
CraigF's Avatar
 
Join Date: May 2000
Location: Hell
Posts: 5,435
uh, its on every news feed in the world.

you argue that people who want to develop infected skins will already have this information, but you fail to mention why everyone else in the world should have a nice how-to?

Security professionals willing to investigate further are more than aware of sources providing further details, the general public however, would probably prefer this to be safely away from the hands of the script kiddies.

Regardless, a new version should be out later today to fix this exploit.

CraigF is offline   Reply With Quote
Old 27th August 2004, 12:11   #44
Russ
Mostly Harmless
(Alumni)
 
Join Date: Jan 2001
Location: UK
Posts: 2,319
Riiiight... we're the good guys and so we should publish information about how to exploit our users' computers in full view on our web site.

I can't say I follow your logic on that one.

For long you live and high you fly, but only if you ride the tide, and balanced on the biggest wave you race towards an early grave.
|Musicbrainz|Audioscrobbler|last.fm|
Russ is offline   Reply With Quote
Old 27th August 2004, 12:24   #45
inthegray
Major Dude
 
inthegray's Avatar
 
Join Date: Sep 2003
Posts: 704
Send a message via AIM to inthegray
Quote:
Originally posted by electricmime
in the past, havent bug fixes been titled with a's and b's..
winamp uses small .01 upgrades (instead of .1), so we don't necessarily have to tack on an extra "a" or "b." we have room to slightly increase the version number.
inthegray is offline   Reply With Quote
Old 27th August 2004, 14:21   #46
talbers
Junior Member
 
Join Date: Aug 2004
Posts: 3
Possible Interim Solution

Couldn't I just dis-associate .WAL files and .WSZ files under Windows Folder Options for now? Then when the new version of Winamp comes out (with the patch for the vulnerability) I can uninstall and install the new version.

Does that make sense?
Would that protect me (and others who do this) in the mean time?

Or am I missing something? (Which it is my experience is often the case.)



Thanks,

Todd
talbers is offline   Reply With Quote
Old 27th August 2004, 14:31   #47
Russ
Mostly Harmless
(Alumni)
 
Join Date: Jan 2001
Location: UK
Posts: 2,319
Yeah, that would fix it.

For long you live and high you fly, but only if you ride the tide, and balanced on the biggest wave you race towards an early grave.
|Musicbrainz|Audioscrobbler|last.fm|
Russ is offline   Reply With Quote
Old 27th August 2004, 14:32   #48
talbers
Junior Member
 
Join Date: Aug 2004
Posts: 3
To follow up on my post above.....
If I disacciate .WAL and .WSZ files from Windows then I won't be able to download and install new skin files obviously. But, personally, I don't care about that. That's all I would lose right? Then the vulnerability can't be exploited unless I re-associate the .WAL and .WSZ file types..... which I won't do until the next version of Winamp. Again, let me know if I am missing something.
talbers is offline   Reply With Quote
Old 27th August 2004, 14:35   #49
DJ Egg
Techorator
Winamp & SHOUTcast Team
 
Join Date: Jun 2000
Posts: 35,780
Maybe... though it's possible that winamp just automatically re-registers them when you close & reopen it.

Maybe it won't if you uncheck "restore associations at startup" in Winamp Prefs > File Types? (also, if Agent is enabled, you'll need to uncheck: Maintain associations).

However, I think my temporary solution posted further up is the better one... ie. make the browser prompt you first. This way, you can install skins that you know are safe (ie. from a trusted source) and cancel any from an untrusted source (ie. ones that try to install when you clicked on a jpg or php link in mirc).

Besides all this, 5.05 should be with us before the end of the day, and this whole issue will then be moot.


[Edit]
wow, lots of quick posts...
Yes, you'll still be able to install skins
(ie. direct links to wal & wsz files on winamp.com etc)
by right-clicking the download link
and selecting "save target/link as"
and saving the file to the winamp/skins folder
and then selecting it from the winamp menu.
DJ Egg is offline   Reply With Quote
Old 27th August 2004, 14:36   #50
Russ
Mostly Harmless
(Alumni)
 
Join Date: Jan 2001
Location: UK
Posts: 2,319
For the vulnerability to be exploited, the skin file has to be opened in Winamp. If the files aren't associated with Winamp, it won't be able to open them, and so you're safe.

For long you live and high you fly, but only if you ride the tide, and balanced on the biggest wave you race towards an early grave.
|Musicbrainz|Audioscrobbler|last.fm|
Russ is offline   Reply With Quote
Old 27th August 2004, 14:39   #51
talbers
Junior Member
 
Join Date: Aug 2004
Posts: 3
"Besides all this, 5.05 should be with us before the end of the day, and this whole issue will then be moot."

Ah. Cool. I will just get 5.05 since it is coming out so soon. In the mean time I just deleted the file associations. I don't download new skin files, so I don't have any need for them for now.

Thanks!

Todd
talbers is offline   Reply With Quote
Old 27th August 2004, 15:42   #52
ampewin
Member
 
Join Date: Mar 2004
Posts: 68
So winamp 5.04 was not the "final edition for now" after all.
ampewin is offline   Reply With Quote
Old 27th August 2004, 16:12   #53
DaWolfey
Junior Member
 
Join Date: Aug 2004
Posts: 18
Good to see that my original post was not in vain

Good work nullsoft!
DaWolfey is offline   Reply With Quote
Old 27th August 2004, 18:45   #54
1nfinite
Junior Member
 
Join Date: Aug 2004
Posts: 1
found this while searching... theirs some sites teaching people how to do it.. i found the xml code they use.. here it is

also here is the site i found it on.

[Edit --> DJ Egg] crap removed. read thread before posting. 5.05 t minus x [/edit]
1nfinite is offline   Reply With Quote
Old 27th August 2004, 21:36   #55
DJ Egg
Techorator
Winamp & SHOUTcast Team
 
Join Date: Jun 2000
Posts: 35,780
http://www.winamp.com/player/
http://download.nullsoft.com/winamp/...mp505_full.exe

End of discussion
DJ Egg is offline   Reply With Quote
Old 30th August 2004, 19:43   #56
Kalter Rauch
Junior Member
 
Join Date: Nov 2003
Location: Neuschwabenland
Posts: 21
I'm in the pipeline......5.05!!!

Sooo...I'm now going to get a weird dark skin off this new flick coming out......LUFT KAPITÄN UND DER WELT VON MORGEN (Sky Captain and the World of Tomorrow).
http://www.skycaptain.com/

Last edited by Kalter Rauch; 30th August 2004 at 20:03.
Kalter Rauch is offline   Reply With Quote
Old 21st October 2004, 00:48   #57
rerun
Junior Member
 
Join Date: Oct 2004
Posts: 1
can we still be affected by the skin exploit if winamp is not running? are we safe just as long as winamp is not open? this is concerning the people that do not have winamp 5.05. thanks for any help.
rerun is offline   Reply With Quote
Old 21st October 2004, 01:22   #58
Nunzio390
Nugatory Aluminator
Look it up

 
Nunzio390's Avatar
 
Join Date: Oct 2002
Location: Tharsis Ridge (Martian lowlands)
Posts: 8,590
Send a message via AIM to Nunzio390 Send a message via Yahoo to Nunzio390
Quote:
Originally posted by rerun
can we still be affected by the skin exploit if winamp is not running? are we safe just as long as winamp is not open? this is concerning the people that do not have winamp 5.05. thanks for any help.
rerun...

Are you saying that you are one of the "people" you mentioned above who hasn't upgraded to 5.05 yet? Is that what you are trying to say? If so, then you definitely should upgrade to 5.05 Full because it fixes many bugs and security issues, including this major security issue (article #1) that still exists in older Winamp releases (also mentioned in more detail here) (article #2).

Can you still be affected by the skin exploit if Winamp is not running? Are you safe just as long as Winamp is not open?

I would say that you are not safe and can still be affected, based on what is covered in the 2 articles I linked to above.

Upgrade, dude. Upgrade. Why take chances?

Don't email or PM me concerning Winamp. Instead, either start a NEW TOPIC or post a REPLY in the appropriate thread in these forums. This will also benefit others who may have a similar question or problem. But before posting, please first Search the forums and read all FAQs and all Sticky threads.

ORB Remote Broadcast

[ Automated Jukebox | Nunzio's Home | Wacky Videos | Solve the Prunella Puzzle! ]
[ LINE RIDER! | My Resume | Virtual Chess | Composite Sketch | My Niece's Band ]
[ Plugins by Joonas | DrO's Winamp Plugins and Extras | K-Jöfol ]
Nunzio390 is offline   Reply With Quote
Old 21st October 2004, 02:27   #59
mikm
Major Dude
 
mikm's Avatar
 
Join Date: May 2001
Location: somewhere else
Posts: 1,255
Because 5.05 secretly installs a program that transfers money from your bank account to those of the former members of the WA dev team. They created this security hole to give users an urgent reason to upgrade.

Why else do you think they were able to retire so early?

powered by C₂H₅OH
mikm is offline   Reply With Quote
Reply
Go Back   Winamp & SHOUTcast Forums > Winamp > Winamp Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump