Two critical holes fixed in Winamp
The new version 5.31 of the Winamp media player removes two critical security holes that could have let users be infected with a trojan just by clicking on an HTML link, for example. According to iDefense, a security vendor, the flaw is part of the routine for processing Ultravox Lyrics3 tags in music files as well as in the implementation of the Ultravox streaming technology developed by AOL.
Both vulnerabilities are based on heap overflows, and can be provoked either through manipulated playlists or the shout: and uvox: URIs. A flawed ultravox-max-msg header, among others, is responsible for the overflow. By default, the links are associated with Winamp in Internet Explorer when the player is installed. It doesn't matter whether the user intends to listen to Ultravox streams or not, clicking on the link to a rigged web site is enough to become a victim. The flaw was confirmed for Winamp versions 5.24 through 5.30, although previous versions may also be affected.
- AOL Nullsoft Winamp Ultravox 'ultravox-max-msg' Header Heap Overflow Vulnerability, Advisory from iDefense
- AOL Nullsoft Winamp Ultravox Lyrics3 v2.00 tags Heap Overflow Vulnerability, Advisory from iDefense