Winamp Update Fixes Big Security Hole
America Online has released a new update for Winamp that closes a critical security hole in the popular music and video player.
The patch mends a flaw for which instructions were released last week showing would-be attackers how to use it to break into computers running Winamp. If you are using Winamp and want to keep doing so, it's time to download and install the update. The last two versions (Winamp 5.12 and 5.13) prior to the latest release -- version 5.2 -- are vulnerable. Yeah, yeah, I know you just updated a couple of weeks ago, when AOL released a new version to fix other critical security flaws, right? Well, too bad.
The advisory released by the researcher says he discovered the exploit back in July, but AOL only learned of the exploit code's existence this week when a hacker posted his exploit code online. (My guess is this guy wanted the credit after NSFocus issued its advisory about the flaw, which it alerted AOL to on Feb. 13.)
The implication here is that certain elements of the underground community not only knew about the Winamp vulnerability for seven months, but also knew of a method for exploiting it to gain access to machines running the software. It would be nice if this were an isolated incident, but the reality is that this sort of thing happens all the time with widely used software.
Update, 1:24 p.m. ET: An AOL spokesperson just sent me an e-mail saying that I may have overstated the severity of the exploit that dates back to mid-2005. "The vulnerability that existed post-5.13 has not been proven to allow malicious access, only denial of service i.e. crashing the application." My response: it's important to keep in mind that software weaknesses that allow attackers to crash an application frequently also allow remote execution of code; in many instances, whether or not that is proven to be the case depends on how much time researchers are willing to dedicate to their proof-of-concept examples.
The comments to this entry are closed.