Network News

X My Profile
View More Activity

Winamp Update Fixes Big Security Hole

America Online has released a new update for Winamp that closes a critical security hole in the popular music and video player.

The patch mends a flaw for which instructions were released last week showing would-be attackers how to use it to break into computers running Winamp. If you are using Winamp and want to keep doing so, it's time to download and install the update. The last two versions (Winamp 5.12 and 5.13) prior to the latest release -- version 5.2 -- are vulnerable. Yeah, yeah, I know you just updated a couple of weeks ago, when AOL released a new version to fix other critical security flaws, right? Well, too bad.

The advisory released by the researcher says he discovered the exploit back in July, but AOL only learned of the exploit code's existence this week when a hacker posted his exploit code online. (My guess is this guy wanted the credit after NSFocus issued its advisory about the flaw, which it alerted AOL to on Feb. 13.)

The implication here is that certain elements of the underground community not only knew about the Winamp vulnerability for seven months, but also knew of a method for exploiting it to gain access to machines running the software. It would be nice if this were an isolated incident, but the reality is that this sort of thing happens all the time with widely used software.

Update, 1:24 p.m. ET: An AOL spokesperson just sent me an e-mail saying that I may have overstated the severity of the exploit that dates back to mid-2005. "The vulnerability that existed post-5.13 has not been proven to allow malicious access, only denial of service i.e. crashing the application." My response: it's important to keep in mind that software weaknesses that allow attackers to crash an application frequently also allow remote execution of code; in many instances, whether or not that is proven to be the case depends on how much time researchers are willing to dedicate to their proof-of-concept examples.

By Brian Krebs  |  February 24, 2006; 9:50 AM ET
Categories:  Latest Warnings , New Patches , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Alarming Phishing Trends
Next: 180Solutions Issues 'Mea Culpa'

No comments have been posted to this entry.

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company