Archived Content
In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.Winamp Playlist Buffer Overflow
Systems Affected
Microsoft Windows systems with Winamp 5.13 or earlier
Overview
America Online has released Winamp 5.2 to correct a buffer overflow vulnerability. Exploitation of this vulnerability could allow a remote attacker to execute arbitrary code with the privileges of the user.
Description
Winamp is a media player that is commonly used to play MP3 files. Winamp 5.2 resolves a buffer overflow vulnerability in how playlist files are handled. Details are available in the following Vulnerability Note:
VU#604745 - Winamp fails to properly handle playlists with long computer names
Winamp contains a buffer overflow vulnerability when processing a playlist that specifies a long computer name. This may allow a remote unauthenticated attacker to execute arbitrary code on a vulnerable system.
Impact
By convincing a user to open a specially crafted playlist file, a remote unauthenticated attacker may be able to execute arbitrary code with the privileges of the user. Winamp may open a playlist file without any user interaction as the result of viewing a web page or other HTML document.
Solution
Upgrade
Upgrade to Winamp 5.2.
Appendix A. References
- US-CERT Vulnerability Note VU#604745 - http://www.kb.cert.org/vuls/id/604745
- CVE-2006-0476 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0476
- National Vulnerability Database (CVE-2006-0476) - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-0476
- WINAMP.COM | Player | Version History - http://www.winamp.com/player/version_history.php
- WINAMP.COM | Player - http://www.winamp.com/player
Feedback can be directed to the US-CERT Technical Staff
Produced by US-CERT, a government organization. Terms of use
Revision History
-
February 1, 2006: Initial release
February 23, 2006: Changed Winamp version to 5.2Last updated
This product is provided subject to this Notification and this Privacy & Use policy.