petera used our news submit to tell us of the confirmation of the security bug fix in Winamp 3.x and 5.x.
| Nullsoft has issued a fix for a newly discovered security vulnerability affecting Winamp 3.0, 5.0 and 5.0 Pro or newer. The vulnerability takes advantage of the Winamp Skin installer mechanism coupled with a security hole within the Internet Explorer browser. To be vulnerable, a user must navigate to a specifically crafted web page which automatically installs a malicious Winamp Skin. This skin launches an embedded Internet Explorer browser within the Skin using a feature of the Winamp Modern Skin Engine. This malicious Winamp Skin then uses the browser to launch a malicious application bundled within the skin. There have been reports of this exploit in use on the web to automatically install Adware or Spyware applications without the users consent. Winamp 5.05 resolves this exploit in two ways: - Winamp will now prompt all users with a confirmation window before installing any skins.
- Winamp will now only extract files considered low risk before loading a Winamp Skin. We strongly urge ALL Winamp users to upgrade to Winamp 5.05 immediately.
 |
Thank you petera, for bringing this news to our attention. Not only is this an excellent description of the problem, we also can now know for sure that it has been resolved. Those of us that use the player and especially if you have modern skin support enabled, head on over and get this latest edition. Version 5.05.
Source: Winamp