Beware That Winamp Skin! Zero-Day Exploits Targets Winamp's Skinning Feature Ryan Naraine
The popular skinning feature in Nullsoft's Winamp media player has left the door wide open for malicious attackers to hijack PCs.
Security researchers at K-Otik discovered the vulnerability and released details of a "Skinhead" zero-day exploit that is already spreading in the wild. The exploit, which targets Winamp versions 3.x and 5.x, is being used to forcefully install spyware (define) and Trojans on infected systems.
Secunia has tagged the flaw as "extremely critical," its highest rating.
Winamp skins have a huge following because they allow users to adopt colorful, customizable, and interchangeable sets of graphics that change the look and feel of the software.
According to an advisory from Secunia, the problem is caused due to insufficient restrictions on Winamp skin zip files (.wsz). It means a malicious Web site could use a specially crafted Winamp skin to place and execute arbitrary programs.
With Microsoft's Internet Explorer browser, this can be done without user interaction.
Analysis of the zero-day exploit shows that attackers are using an XML (define) document in the Winamp skin zip file to reference a HTML document using the "browser" tag and get it to run in the "Local Computer Zone."
"This can be exploited to run an executable program embedded in the Winamp skin file using the 'object' tag and the 'codebase' attribute," Secunia explained.
The vulnerability has been confirmed on a fully patched system with Winamp 5.04 using Internet Explorer 6.0 on Microsoft Windows XP SP1.
PivX Labs, which has also analyzed the attack vector, said that a user visiting a Web site that hosts the Skinhead exploit will have their browser redirected to a compressed Winamp Skin file which has a WSZ file extension, but which in reality is a ZIP file.
The company said the default installation of Winamp registers the WSZ file extension and includes an instruction to Windows and Internet Explorer to automatically open the files. It leads to the fake Winamp skin being automatically loaded into the media player.
