Nullsoft has issued a fix for a newly discovered security vulnerability affecting Winamp 3.0, 5.0 and 5.0 Pro or newer.

The vulnerability takes advantage of the Winamp Skin installer mechanism coupled with a security hole within the Internet Explorer browser.

To be vulnerable, a user must navigate to a specifically crafted web page which automatically installs a malicious Winamp Skin.

This skin launches an embedded Internet Explorer browser within the Skin using a feature of the Winamp Modern Skin Engine. This malicious Winamp Skin then uses the browser to launch a malicious application bundled within the skin.

There have been reports of this exploit in use on the web to automatically install Adware or Spyware applications without the users consent.

Winamp 5.05 resolves this exploit in two ways:

Winamp will now prompt all users with a confirmation window before installing any skins.
Winamp will now only extract files considered low risk before loading a Winamp Skin.
We strongly urge ALL Winamp users to upgrade to Winamp 5.05 immediately.

Go to the Winamp Player download page to download the latest version of the Winamp.

Comments
on Aug 28, 2004
This news already exists, https://www.wincustomize.com/newsBoard.asp?ID=2642
on Aug 28, 2004
what if you DON'T use IE but another browser ???

on Aug 29, 2004
not sure... I think if you have IE on your system and the old winamp install the you have problems
on Sep 01, 2004
Embedded means embedded
on Sep 04, 2004
thank you