1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP NullSoft Winamp Playlist BO

HTTP NullSoft Winamp Playlist BO

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects attempts to exploit a buffer overflow vulnerability in Winamp using malicious playlist files.

Additional Information

Winamp is a freely available media player from Nullsoft. It is available for the Microsoft Windows platform.

Winamp is susceptible to a buffer-overflow vulnerability. The application fails to properly bounds-check input data before copying it into a fixed-size memory buffer.

This issue presents itself when the application handles a specially crafted playlist (.pls) file. A successful attack can corrupt process memory and facilitate arbitrary code execution.

This issue will facilitate remote exploitation, because an attacker may distribute malicious playlist files and entice unsuspecting users to process them with the affected application.

An attacker may exploit this issue to gain unauthorized access to a computer with the privileges of the user that activated the vulnerable application.

Winamp 5.11 and 5.12 are reportedly affected by this issue.

Affected

  • NullSoft Winamp 5.0 1, 5.0 2, 5.0 3, 5.0 3a, 5.0 4, 5.0 5, 5.0 6, 5.0 7, 5.0 8, 5.0 8c, 5.0 9, 5.0 91, 5.11, 5.12

Response

Workaround:

Reportedly, users can prevent Winamp from automatically launching playlists in Firefox. Also, users can configure Internet Explorer to prompt before downloading a playlist.

For Firefox:

1. Go to Tools > Options > Downloads > View & Edit Actions...

2. Choose the M3U extension.

3. Click 'Remove Action'.

For Internet Explorer:

1. Go to Tools > Folder Options > File Types.

2. Choose the M3U extension.

3. Check 'Confirm after download'.

Solution:
The vendor has released version 5.13 to address this issue.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube