Malicious MP3 or WMA files can compromise system security and allow remote code to be executed, security company Foundstone announced on Wednesday. Under Windows XP it is enough to just browse to the directory with the file or even browse to a malicious website. The file does not have to be opened for the code to be run.
There are also buffer overflow bugs in Winamp v2.81 and Winamp v3.0 in ID3v2 processing that makes it possible to create a malicious MP3 file which executes remote code..
A fix has been issued by Microsoft for the Windows XP vulnerability. Updated versions of Winamp v2.81 and Winamp v3.0 are also available.
Meanwhile RealNetworks has finally managed to issue a patch for their RealOne Player. The flaws were discovered already in November, and Real issued a patch for them late November. The patch, however, didn't do the trick, which forced Real to review the RealOne Player source code thoroughly. The now issued patch should finally fix the flaws.
Source:
Foundstone
ZDNet News
PCWorld
A fix has been issued by Microsoft for the Windows XP vulnerability. Updated versions of Winamp v2.81 and Winamp v3.0 are also available.
Meanwhile RealNetworks has finally managed to issue a patch for their RealOne Player. The flaws were discovered already in November, and Real issued a patch for them late November. The patch, however, didn't do the trick, which forced Real to review the RealOne Player source code thoroughly. The now issued patch should finally fix the flaws.
Source:
Foundstone
ZDNet News
PCWorld
