Nullsoft has released Winamp 5.623, a new version of its popular media player application, in order to address three vulnerabilities that could allow remote attackers to execute arbitrary code on people’s computers.
The security flaws were discovered by Dmitriy Pletnev from vulnerability management firm Secunia and an independent researcher named Hossein Lotfi, who reported his finding through the company’s vulnerability coordination reward program (SVCRP).
All three vulnerabilities were confirmed in Winamp 5.622, but older versions could also be affected. They are located in the application’s in_avi.dll and in_mod.dll libraries and can trigger heap-based buffer overflows.
An attacker could exploit these vulnerabilities by tricking victims into opening specially crafted AVI or Impulse Tracker (IT) files. The remote attack vectors include malicious files stored on network shares and WebDAV resources, but also rogue playlists hosted on the Web.
“The vulnerabilities can be remotely exploited by e.g. on a website hosting a .m3u playlist, which is automatically opened and played by Winamp when viewed,” said Carsten Eiram, Secunia’s chief security specialist.
Winamp 5.623 also fixes other non-security-related bugs in MP3, MP4, AAC and FLAC encoding and decoding components. In addition, it contains miscellaneous tweaks, improvements and optimizations.
Users should keep all of the applications installed on their computers up to date, especially those that can be targeted through browsers. Free tools like the Secunia Personal Software Inspector track thousands of programs and can alert users when security patches are available for them.