AfterDawn: Tech news

Critical Winamp security flaw found and fixed

Written by James Delahunty (Google+) @ 31 Jan 2006 20:21 User comments (5)

Critical Winamp security flaw found and fixed Another "extremely critical" security flaw has been found in AOL's Winamp digital media player. It relates to how the player handles filenames that include a computer name. The vulnerability "can be exploited to cause a buffer overflow via a specially crafted playlist containing a filename starting with an overly long computer name," according to an advisory by Secunia. An attack can lead to arbitrary code being run on a user's computer. An exploit has already surfaced for the flaw, which affects version 5 of the software.
Winamp users will be happy to know that there was no time wasted in fixing this flaw. Winamp v5.13 has been released and all users are advised to update immediately. The exploit was created by ATmaCA, and uses a specially crafted playlist file to overflow the player. The PLS file can simply be loaded remotely through an IFRAME on a Web site.

You can download the latest version of Winamp from:


Previous Next  

5 user comments

11.2.2006 2:34

Im glad that they got to it quick but i find it too be a nifty lil trick :)

21.2.2006 2:49

Might help if you put a little more detiail here so ppl know what your talking about.

31.2.2006 10:17

@Mr_Taz_UK Mate this is a comment i made after reading the news article that comes with it u can find it here. After reading the article it will make more sense :)

Edited by DVDBack23

"the mediocre teacher tells. the good teacher explains. the superior teacher demonstrates. the great teacher inspires."- William Aruthur Ward

42.2.2006 0:31

ah, I'll get my coat. Weird thing is i opened your post in the 'threads without a reply' section and the news article was not with it. One fer the staff here to look ay maybe. Soz for the confusion.

52.2.2006 1:06

No problem mate, well its always good for the members to find a glitch to help the admin out :) No Worries

Comments have been disabled for this article.

News archive