Application security, Patch/Configuration Management, Vulnerability Management

Flaw in Winamp MP4 processing disclosed

A hacker posted exploit code for a then-unknown vulnerability in the Winamp media player to the Milw0rm site on Monday.

The bug was disclosed by Marsu, the hacker already in the news for posting exploits in the past week for two flaws in Adobe Photoshop.

Marsu said on Milw0rm that he was still working on the exploit, but had tested the code on a PC running Windows XP with Service Pack 2 installed.

The flaw, which vendor eEye Digital Security ranked as "high" severity, allows an attacker to execute arbitrary code from a remote location, possibly taking full control of a system.

Winamp, created by Nullsoft, is owned by AOL. The company said today that it is working to fix the flaw.

"We are aware of the problem and currently working to resolve it," said Sam Weber, business director for Winamp and Shoutcast.

An exploit for the flaw can be delivered via email or malicious website, according to an eEye advisory, which noted that "exploitation impact can vary from the reported trojan installation to full system compromise by coupling this attack with a privilege escalation vulnerability to acquire system access."

The flaw exists in Winamp version 5.34, according to eEye.

Andre Protas, director of eEye’s Preview research service, told today that MP4 files use the same icon as MP3 files, making it more likely that users will be duped into clicking on them.

"MP4s aren’t going to be as common as MP3s, but they have the same icon, so people will click them just the same if they get an email or surf a malicious site," he said. "A pretty common trend these days is getting into corporate networks through client side attacks…It’s a good foot in the door."

The flaw is caused by a memory corruption error in the libmp4v2.dll module when processing a malformed MP4 file, according to a FrSIRT advisory released Monday. The French vulnerability monitoring organization ranked the flaw as "critical."

Secunia, which released an advisory for the vulnerability today, urged users to not open untrusted MP4 files and ranked the flaw as "highly critical."

Danny Allan, director of security research at Watchfire, told today that the flaw "continues the trend of hackers trying to take the path of least resistance" to access networks.

"This is going down to the age-old problem of not validating input. People want MP3 and MP4 files and they go to the internet to download them," he said. "And it’s a way for them to attack an organization, and almost every organization has MP3 files or MP4 files internally."

Click here to email Online Editor Frank Washkuch Jr.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.