Nullsoft has issued a fix for a newly discovered security vulnerability affecting Winamp 3.0, 5.0 and 5.0 Pro or newer.

The vulnerability takes advantage of the Winamp Skin installer mechanism coupled with a security hole within the Internet Explorer browser.

To be vulnerable, a user must navigate to a specifically crafted web page which automatically installs a malicious Winamp Skin.

This skin launches an embedded Internet Explorer browser within the Skin using a feature of the Winamp Modern Skin Engine. This malicious Winamp Skin then uses the browser to launch a malicious application bundled within the skin.

There have been reports of this exploit in use on the web to automatically install Adware or Spyware applications without the users consent.

Winamp 5.05 resolves this exploit in two ways:

Winamp will now prompt all users with a confirmation window before installing any skins.
Winamp will now only extract files considered low risk before loading a Winamp Skin.
We strongly urge ALL Winamp users to upgrade to Winamp 5.05 immediately.

Go to the Winamp Player download page to download the latest version of the Winamp.