My dad forwarded me this article:
I found it interesting. I think I'm relatively safe, between using Opera, SP2, and refusing to upgrade past Winamp 2.80... but I just thought other people here should know about it.
------------------
[16:38] Correction: dick tracy was a real man
[16:38] happydud: Actually... He wasn't.
[19:08] Dormouse: hi, my name's happydud and i'm passive-aggress.. SHUTUP!! *stabs nearby orphan*
[You have gained 3 Dark Side Points]
Quote:
<font face="Verdana, Arial" size="2">
SUMMARY:
Before any security mailing lists got wind of it, personnel from the
greyhat Web site K-Otik.com <http://www.k-otik.com/> discovered and
posted underground exploit code for a new Winamp vulnerability. The
vulnerability involves a specially-crafted Winamp skin file that can
automatically download and execute code on a victim's computer. By
enticing one of your users to a malicious Web page or sending an
HTML e-mail, an attacker could deliver his malicious Winamp skin to
your user's computer and gain total control of the machine. If you
suspect your users have installed Winamp version 5.04 or earlier
(whether or not you officially permit it), you should insist that
they remove Winamp. For other countermeasures, see the Solution
section below.
EXPOSURE:
Winamp, a very popular media player that supports and plays more
than 30 media file types, is used most commonly to play MP3 files.
Although Winamp is not a business application, we've found that many
employees install popular client applications like Winamp without
authorization. Even if Winamp isn't part of your official corporate
desktop image, some of your users probably have it on their systems.
Yesterday, the greyhat Web site K-Otik.com <http://www.k-otik.com>
posted underground exploit code
<http://www.kotik.com/exploits/08252004.skinhead.php>
for a new vulnerability that affects Winamp 5.04 and below. Usually
we report on vulnerabilities discovered by whitehat security
researchers who disclose flaws in order to inform and protect the
public. However, in this case a blackhat hacker calling himself
|silent released his new Winamp exploit to other malicious hackers
on the Internet, specifying that he would not inform Winamp or the
security community. Therefore, Winamp users should consider this a
high risk vulnerability, since malicious attackers have possessed
exploit code before the security community knew of it.
Winamp's popular skinning ability enables customizing the look and
feel of the application to fit your tastes. The malicious exploit
takes advantage of a design flaw in Winamp's Skin Zip (.wsz) files.
These .wsz files usually consist of a zipped archive containing
files that fall into two main categories: 1) Media files for
customizing Winamp, and 2) XML files that tell Winamp how to apply
the media files. However, |silent discovered that he could also
embed a malicious program within a Winamp skin file and then craft
the XML portion so that Winamp executes it automatically.
Internet Explorer becomes Winamp's unwilling accomplice in this
attack. |silent discovered he could create a Web page so that it
would automatically download an infected Winamp skin as soon as an
Internet Explorer (IE) user visited it. Windows associates .wsz
files with Winamp by default. That means a smart attacker could
maliciously craft his Web site so that if a victim visits the page,
the malicious skin file downloads via IE automatically and executes
in Winamp automatically. In sum, one wrong click could give up your
machine.
SOLUTION PATH:
Since |silent never disclosed this vulnerability directly to
Winamp's creators, Nullsoft, there is no patch correcting this flaw
(although you can bet Nullsoft knows of this issue by now). We plan
on updating this alert if Nullsoft releases a patch.
Today, the only way to totally protect yourself from this flaw is to
remove Winamp. If you do not allow Winamp in your network, consider
taking this opportunity to e-mail your users, citing the Winamp flaw
as another example of why they should not install unauthorized
programs on company-owned computers.
If you choose to continue using Winamp now, these workarounds can
mitigate your exposure to |silent's vulnerability:
* Dis-associate the .wsz file type in Windows.
Doing this prevents you from installing any new Winamp skins
automatically. To dis-associate .wsz files from Winamp, open
Windows Explorer and click Tools => Folder Options => File Types
tab. Scroll down to locate and highlight the WSZ extension type
(which appears only if you have Winamp installed). Highlight it,
and either click the Delete button to completely remove the WSZ
extension type or click the Change button and select some other
application, such as Notepad, to opens .wsz files harmlessly.
* Use another browser besides IE to prevent the automatic
download of the malicious Winamp skin. This is not a feasible
option for everyone. However, other browsers, such as Mozilla
Firefox, prompt the users for some interaction before
automatically downloading |silent's malicious Winamp skin.
* Firebox II, III, X and Vclass users should check below to
learn how to block .wsz files by using their WatchGuard proxy
services.
Though WatchGuard does not recommend installing Windows XP Service
Pack 2, we did test |silent's exploit under SP2. SP2 includes new
secure-browsing features that prevent IE from automatically
downloading certain files. With SP2 installed, the malicious Web
code |silent uses to download a Winamp skin onto your computer does
not work without significant user interaction.
-- For WatchGuard Firebox SOHO Users:
Since most administrators allow their users Web and e-mail access,
the workarounds above are your primary recourse.
-- For WatchGuard Firebox II / III / X Users:
If you're willing to block all Winamp skins, you can use the HTTP
and SMTP proxies to block Winamp's Skin Zip (.wsz) file type. See
below for specific instructions:
* SMTP Proxy
<http://www.watchguard.com/help/lss/70/Proxy/proxies3.htm>
* HTTP Proxy
<http://www.watchguard.com/help/lss/70/Proxy/proxies7.htm>
* Online Training Proxy Module
<http://www.watchguard.com/training/lss/50/Pages/proxies2.htm>
-- For WatchGuard Firebox Vclass Users:
If you're willing to block all Winamp skins from downloading, you
can use the HTTP and SMTP proxies to block Winamp's Skin Zip (.wsz)
file type. See below for specific instructions.
* SMTP Proxy
You'll have to create or adjust a custom Proxy Action based on SMTP-
Incoming in order to strip Winamp skin attachments. If you have
created your own Proxy Action based on SMTP-Incoming, you can edit
it so that it blocks .wsz files. In the Vcontroller software, click
the Proxies button and double-click your custom proxy action. Under
the Content Checking tab, change "Category" to Attachment Filename
and click either the Add to Top or Insert After button (only one or
the other will display). Next, type "WSZ Files" as the new rule's
name, and choose Pattern Match. Next to Pattern Match, type "*.wsz"
and select Strip as the Action. Now you can apply this new Proxy
Action to your SMTP rule to ensure Winamp skin files are blocked.
* HTTP Proxy
You'll have to create or adjust a custom proxy action based on HTTP-
Outgoing in order to strip Winamp skin attachments. If you have
created your own Proxy Action based on HTTP-Outgoing, you can edit
it so that it blocks .wsz files. In the Vcontroller software, click
the Proxies button and double-click your custom proxy action. Under
the Request Headers tab, change "Category" to Header Fields and
click on the Add button. Next, type "WSZ files" as the new rule's
name, and choose Pattern Match. Next to Pattern Match, type "*.wsz"
and select Strip as the Action. Now you can apply this new Proxy
Action to your HTTP proxy action to ensure Winamp skins are blocked.
STATUS:
There is no fix available short of removing Winamp.
REFERENCES:
K-Otik's Exploit Code
<http://www.k-otik.com/exploits/08252004.skinhead.php>
Secunia's Post Concerning the Winamp Vulnerability
<http://secunia.com/advisories/12381>
This alert was researched and written by Corey Nachreiner
</font>
SUMMARY:
Before any security mailing lists got wind of it, personnel from the
greyhat Web site K-Otik.com <http://www.k-otik.com/> discovered and
posted underground exploit code for a new Winamp vulnerability. The
vulnerability involves a specially-crafted Winamp skin file that can
automatically download and execute code on a victim's computer. By
enticing one of your users to a malicious Web page or sending an
HTML e-mail, an attacker could deliver his malicious Winamp skin to
your user's computer and gain total control of the machine. If you
suspect your users have installed Winamp version 5.04 or earlier
(whether or not you officially permit it), you should insist that
they remove Winamp. For other countermeasures, see the Solution
section below.
EXPOSURE:
Winamp, a very popular media player that supports and plays more
than 30 media file types, is used most commonly to play MP3 files.
Although Winamp is not a business application, we've found that many
employees install popular client applications like Winamp without
authorization. Even if Winamp isn't part of your official corporate
desktop image, some of your users probably have it on their systems.
Yesterday, the greyhat Web site K-Otik.com <http://www.k-otik.com>
posted underground exploit code
<http://www.kotik.com/exploits/08252004.skinhead.php>
for a new vulnerability that affects Winamp 5.04 and below. Usually
we report on vulnerabilities discovered by whitehat security
researchers who disclose flaws in order to inform and protect the
public. However, in this case a blackhat hacker calling himself
|silent released his new Winamp exploit to other malicious hackers
on the Internet, specifying that he would not inform Winamp or the
security community. Therefore, Winamp users should consider this a
high risk vulnerability, since malicious attackers have possessed
exploit code before the security community knew of it.
Winamp's popular skinning ability enables customizing the look and
feel of the application to fit your tastes. The malicious exploit
takes advantage of a design flaw in Winamp's Skin Zip (.wsz) files.
These .wsz files usually consist of a zipped archive containing
files that fall into two main categories: 1) Media files for
customizing Winamp, and 2) XML files that tell Winamp how to apply
the media files. However, |silent discovered that he could also
embed a malicious program within a Winamp skin file and then craft
the XML portion so that Winamp executes it automatically.
Internet Explorer becomes Winamp's unwilling accomplice in this
attack. |silent discovered he could create a Web page so that it
would automatically download an infected Winamp skin as soon as an
Internet Explorer (IE) user visited it. Windows associates .wsz
files with Winamp by default. That means a smart attacker could
maliciously craft his Web site so that if a victim visits the page,
the malicious skin file downloads via IE automatically and executes
in Winamp automatically. In sum, one wrong click could give up your
machine.
SOLUTION PATH:
Since |silent never disclosed this vulnerability directly to
Winamp's creators, Nullsoft, there is no patch correcting this flaw
(although you can bet Nullsoft knows of this issue by now). We plan
on updating this alert if Nullsoft releases a patch.
Today, the only way to totally protect yourself from this flaw is to
remove Winamp. If you do not allow Winamp in your network, consider
taking this opportunity to e-mail your users, citing the Winamp flaw
as another example of why they should not install unauthorized
programs on company-owned computers.
If you choose to continue using Winamp now, these workarounds can
mitigate your exposure to |silent's vulnerability:
* Dis-associate the .wsz file type in Windows.
Doing this prevents you from installing any new Winamp skins
automatically. To dis-associate .wsz files from Winamp, open
Windows Explorer and click Tools => Folder Options => File Types
tab. Scroll down to locate and highlight the WSZ extension type
(which appears only if you have Winamp installed). Highlight it,
and either click the Delete button to completely remove the WSZ
extension type or click the Change button and select some other
application, such as Notepad, to opens .wsz files harmlessly.
* Use another browser besides IE to prevent the automatic
download of the malicious Winamp skin. This is not a feasible
option for everyone. However, other browsers, such as Mozilla
Firefox, prompt the users for some interaction before
automatically downloading |silent's malicious Winamp skin.
* Firebox II, III, X and Vclass users should check below to
learn how to block .wsz files by using their WatchGuard proxy
services.
Though WatchGuard does not recommend installing Windows XP Service
Pack 2, we did test |silent's exploit under SP2. SP2 includes new
secure-browsing features that prevent IE from automatically
downloading certain files. With SP2 installed, the malicious Web
code |silent uses to download a Winamp skin onto your computer does
not work without significant user interaction.
-- For WatchGuard Firebox SOHO Users:
Since most administrators allow their users Web and e-mail access,
the workarounds above are your primary recourse.
-- For WatchGuard Firebox II / III / X Users:
If you're willing to block all Winamp skins, you can use the HTTP
and SMTP proxies to block Winamp's Skin Zip (.wsz) file type. See
below for specific instructions:
* SMTP Proxy
<http://www.watchguard.com/help/lss/70/Proxy/proxies3.htm>
* HTTP Proxy
<http://www.watchguard.com/help/lss/70/Proxy/proxies7.htm>
* Online Training Proxy Module
<http://www.watchguard.com/training/lss/50/Pages/proxies2.htm>
-- For WatchGuard Firebox Vclass Users:
If you're willing to block all Winamp skins from downloading, you
can use the HTTP and SMTP proxies to block Winamp's Skin Zip (.wsz)
file type. See below for specific instructions.
* SMTP Proxy
You'll have to create or adjust a custom Proxy Action based on SMTP-
Incoming in order to strip Winamp skin attachments. If you have
created your own Proxy Action based on SMTP-Incoming, you can edit
it so that it blocks .wsz files. In the Vcontroller software, click
the Proxies button and double-click your custom proxy action. Under
the Content Checking tab, change "Category" to Attachment Filename
and click either the Add to Top or Insert After button (only one or
the other will display). Next, type "WSZ Files" as the new rule's
name, and choose Pattern Match. Next to Pattern Match, type "*.wsz"
and select Strip as the Action. Now you can apply this new Proxy
Action to your SMTP rule to ensure Winamp skin files are blocked.
* HTTP Proxy
You'll have to create or adjust a custom proxy action based on HTTP-
Outgoing in order to strip Winamp skin attachments. If you have
created your own Proxy Action based on HTTP-Outgoing, you can edit
it so that it blocks .wsz files. In the Vcontroller software, click
the Proxies button and double-click your custom proxy action. Under
the Request Headers tab, change "Category" to Header Fields and
click on the Add button. Next, type "WSZ files" as the new rule's
name, and choose Pattern Match. Next to Pattern Match, type "*.wsz"
and select Strip as the Action. Now you can apply this new Proxy
Action to your HTTP proxy action to ensure Winamp skins are blocked.
STATUS:
There is no fix available short of removing Winamp.
REFERENCES:
K-Otik's Exploit Code
<http://www.k-otik.com/exploits/08252004.skinhead.php>
Secunia's Post Concerning the Winamp Vulnerability
<http://secunia.com/advisories/12381>
This alert was researched and written by Corey Nachreiner
</font>
I found it interesting. I think I'm relatively safe, between using Opera, SP2, and refusing to upgrade past Winamp 2.80... but I just thought other people here should know about it.
------------------
[16:38] Correction: dick tracy was a real man
[16:38] happydud: Actually... He wasn't.
[19:08] Dormouse: hi, my name's happydud and i'm passive-aggress.. SHUTUP!! *stabs nearby orphan*
[You have gained 3 Dark Side Points]
![[http://forums.massassi.net/html/mad.gif]](http://forums.massassi.net/html/mad.gif "http://forums.massassi.net/html/mad.gif")
![[http://forums.massassi.net/html/tongue.gif]](http://forums.massassi.net/html/tongue.gif "http://forums.massassi.net/html/tongue.gif")
![[http://forums.massassi.net/html/biggrin.gif]](http://forums.massassi.net/html/biggrin.gif "http://forums.massassi.net/html/biggrin.gif")
![[http://forums.massassi.net/html/wink.gif]](http://forums.massassi.net/html/wink.gif "http://forums.massassi.net/html/wink.gif")
)