In association with heise online

22 March 2007, 14:14

Specially prepared skins inject malicious code into XMMS media player

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Manipulated skins for the XMMS Open Source media player reportedly allow malicious code to be injected into a system and launched with the user's rights. According to security service provider Secunia, two flaws in the routine that processes skins can allow certain skins to cause an integer underflow and an integer overflow. As a result, arbitrary code can be written into memory. However, victims still have to download the malicious skin, select it with the skin browser, and load it for the attack to succeed.

The flaw was found in the current version 1.2.10 of XMMS, but previous versions are probably also affected. No patch has been made available even though Secunia informed the Linux distributors of the problem back on February 6. The service provider therefore suggests a workaround: do not install any skins from untrustworthy sources.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit