Date: 26 August 2004
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
ESB-2004.0537 -- Security Bulletin
Winamp Skin Vulnerability Allows Execution of Arbitrary Code
26 August 2004
AusCERT Security Bulletin Summary
Product: Winamp 5.04 and prior
Operating System: Windows
Impact: Execute Arbitrary Code/Commands
Winamp is a multimedia application that plays many popular media
A critical vulnerability has been identified in Winamp's handling of
Winamp skin zip files (.wsz), allowing a remote attacker to execute
An XML document in the Winamp skin zip file can reference a HTML
document using the "browser" tag thus allowing it to execute arbitrary
code in the "Local Computer" zone.
Winamp 5.04 and prior are vulnerable.
This vulnerability may be used by an attacker to execute arbitrary
code on a user's system when the user visits a malicious web site or
opens a malicious Winamp skin zip file.
Depending on the web browser used on the system, this vulnerability
may be exploited with minimal user interaction by simply visiting a
malicious web site without explicitly running Winamp.
While not yet confirmed, it may be possible for this vulnerability to
be exploited through some email clients, depending upon the HTML
rendering engine used.
Secunia has reported that this vulnerability is being actively
exploited in the wild. 
No patch is currently available to fix this vulnerability.
AusCERT recommends that administrators disable the association of
.wsz files within Windows, or use a different application to
replace Winamp until an updated version is available.
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----