James Delahunty
31 Jan 2006 20:21
Another "extremely critical" security flaw has been found in AOL's Winamp digital media player. It relates to how the player handles filenames that include a computer name. The vulnerability "can be exploited to cause a buffer overflow via a specially crafted playlist containing a filename starting with an overly long computer name," according to an advisory by Secunia. An attack can lead to arbitrary code being run on a user's computer. An exploit has already surfaced for the flaw, which affects version 5 of the software.
Winamp users will be happy to know that there was no time wasted in fixing this flaw. Winamp v5.13 has been released and all users are advised to update immediately. The exploit was created by ATmaCA, and uses a specially crafted playlist file to overflow the player. The PLS file can simply be loaded remotely through an IFRAME on a Web site.
You can download the latest version of Winamp from: https://www.afterdawn.com/software/audio_software/audio_players/winamp_v5.cfm
Source:
Betanews