Codec flaws threaten Windows Media Player, Winamp

Share this article:

Updated, Dec. 10 at 5:22 p.m. EST

Researchers today began noticing increased activity on ports directed to media players, a strong indication that attackers are actively screening machines for a new codec vulnerability reported over the weekend.

The "highly critical" vulnerabilities, according to Secunia, are located in 3ivx Technologies' MPEG-4 codec, a required compatibility program used to create and play back MP4 files. The bugs are caused by boundary errors that can lead to stack-based buffer overflows via a maliciously crafted MP4 file.

Experts have seen proof-of-concept code impacting Windows Media Player 6.4, Media Player Classic 6.4.9 and Winamp 5.32 – all older versions of the popular multimedia applications. But other versions are likely vulnerable as well, Ben Greenbaum, senior research manager in Symantec Security Response, told today.

"We see people that are looking for machines that have already been exploited in this fashion or are trying to connect to machines that they think have been successfully exploited," he said.

Greenbaum said that attackers are opting to exploit bugs in media players and the plugins that increase their functionality as organizations and vendors get better at securing operating systems and applications.

"These attacks can be placed on trusted websites and immediately exposed to hundreds of thousands of potential victims," he said. "Lots of websites allow users to incorporate their own content. It's an easy way for attackers to get their exploit up to a site that's going to have a lot of eyes."

The goal of these attacks is usually to drop a secondary payload, such as a bot or trojan, he added.

As users await a patch, businesses should ensure they have policy in place that permits employees to connect to media players only for work purposes, Greenbaum said. In addition, organizations should be running an up-to-date anti-virus solution, an intrusion detection system and endpoint security management tools to help identify and remove vulnerable software.

A spokesperson for 3ivx, which would be responsible for the fix, did not return a request for comment. 

A spokesman for AOL, which owns Winamp, said users should update to the latest version.

"We encourage everyone to upgrade to [version] 5.5, which is actually not vulnerable to the attack," AOL spokesman Kurt Patat told today. "That's people's best bet if they want to avoid the vulnerability."

Mark Miller, director of security response for Microsoft, advised Windows Media Player users to do the same.

"The affected code does not ship in box with any version of Windows or Windows Media Player," he said.



Share this article:

Sign up to our newsletters

More in News

Latest Citadel trick allows RDP access after malware's removal

Latest Citadel trick allows RDP access after malware's ...

Trusteer, an IBM company, said the new Citadel configuration was detected this month.

Cryptoblocker variant emerges, encryption differs from CryptoLocker

Trend Micro has detected a variant of CryptoLocker in the wild that relies on the advanced encryption standard.

Jimmy John's sandwich chain investigating possible breach

Some financial institutions have indicated that credit cards recently used at Jimmy John's locations have been used to make fraudulent purchases.