Nullsoft closes multiple Winamp vulnerabilities
The Nullsoft developers have released version 5.6 of their Winamp media player, adding a number of new features and addressing multiple security vulnerabilities. According to security specialist Secunia, the latest stable update fixes two "highly critical" bugs in the software that could be exploited by an attacker to compromise a user's system.
An integer overflow issue exists in the "in_nsv.dll" plug-in that can be exploited to cause a heap-based buffer overflow, possibly leading to the execution of arbitrary code on a victim's system. For an attack to be successful, a victim must first open a specially crafted stream or file. Additionally, the update fixes a second integer overflow in "in_midi" that could lead to buffer overflows.
Further information about the update can be found in the release announcement post on the Winamp Forums and in the change log. Winamp 5.6, Build 3080 (188.8.131.5280), is available to download for Windows. All users are advised to upgrade to the latest release as soon as possible.
- Winamp Multiple Vulnerabilities, security advisory from Secunia.