WinAmp bug opens door to MP3 viruses A glitch with the popular WinAmp software for playing digital music files could allow an attacker to embed malicious code into an MP3 file, potentially damaging the user's PC and infecting other MP3s. Nullsoft, which makes WinAmp, has confirmed the vulnerability, which does not affect the newest version of the software. Version 2.80 of WinAmp is available on NullSoft's Web site. The problem can also be fixed by disabling WinAmp's minibrowser. The weakness is particularly dangerous because MP3 files are generally considered safe, and hundreds of thousands of users frequently trade them with unknown Internet users via file-swapping services such as Kazaa and Morpheus. A bug in the code of WinAmp 2.79 allows a specially formed data tag in an MP3 file to cause a buffer overrun in the application, which could be exploited to run any piece of code the attacker wishes. The glitch was posted to the BugTraq security mailing list on Friday by Andreas Sandblad, a Swedish engineering student. The code can be embedded in the ID3v2 tag used by some MP3 files to carry information on a song track, such as artist, album and genre. When WinAmp plays the track, it automatically tries to query the WinAmp Web site using the information in the tag. According to Sandblad, the buffer overflow occurs when the URL to be sent to the minibrowser is created, meaning that the exploit can be carried out even if an Internet connection isn't present. However, disabling the minibrowser prevents the attack. --- i never use the web browser on winamp, do you?
I like the visualization feature with Winamp. I just load up some techno, pop some glow pills in my mouth, crank up the volume and presto, I've got The Roxy in my office.
man... I heard that boomboom. winamp's visualization feature is ultra trippy. I like to create my own...
