August 28th, 2004, 04:18 AM
You're right, phishfphreek. Guess I should actually pay attention when I post things like that. Thanks for the added input. :-P
August 28th, 2004, 05:51 AM
Something I noticed with SP2-
IE changes the file extension of the source location in my PoC IFrame from winamp skin zip (.wsz) into a .zip? At least that's what it does when I ask to download the file. Not a big deal, just kinda weird.
I put up a PoC here (http://www.thebillygoatcurse.com/winamp.php) w/o the executable file and malicious skin. All it does is show how it opens Winamp automatically, so those of you thinking this is a "careless downloading" issue, it's not. It's exploitable upon a malicious html page view on SP1. I came upon a group of people talking about how stupid people are downloading malicious skins, so I felt I felt responsible to elaborate a bit on it's exploitation.
There is a Winamp upgrade available. But, alternatives exist. I am a huge Winamp fan, but I am more a fan of it's skinning ability than anything else.
There is another option here: http://www.foobar2000.org/
I like it for it's sexy system tray icon, but rumor has it that it's also very minimalist with resources.
btw: This isn't so much nullsoft / aol's fault, more of IE's. I think this is the bulletin being exploited in a "winamp" way.
August 28th, 2004, 06:30 AM
It is half Winamp's fault for setting the WSZ file type to install without user intervention. They didn't think that there was a way a skin could do malicious stuff on the computer, so they decided to completely bypass user intervention and auto-install. Personally, I don't like things working behind my back. Which is why according to my last post, I've deleted the file association. If I want a skin, I'll manually put it into the right directory, etc. But that's just me.
Oh, and a WSZ is acturally a collection of images in a ZIP archive if I remember correctly. If SP2 breaks Winamp's automatic file association, then it would in effect secure the computer from installing a skin behind your back (but I don't know about protecting you from a malicious skin). But luckily they apparently took care of that paticular vulnerability that a escelated the privilages of a malicious skin w/ their latest version. So even if it downloaded behind your back (they also make it prompt now for new ones) it won't take control of your system in that paticular way...
August 28th, 2004, 08:44 AM
Doesn't the consumer version of RealPlayer automatically install skins upon download, too? Or am I mistaken? I don't have it installed on any machines here, but I distinctly recall a setting in the preferences which was checked by default which had the skin automatically install. Wouldn't they then be subject to the same sort of expoitation? I've never used any skinning features of RealPlayer (though I absolutely have for Winamp, even made one of my own to match the Windows theme I designed), so I have no idea how the skinning works, but I would think that a similar exploit could be designed for RealPlayer if they have it set up the same way.