Beware MP3 Worms!

kinetic · Dec 19, 2002, 01:40 PM

Beware the Latest MP3 Worms

By Michelle Delio |

04:30 PM Dec. 18, 2002 PT

Music file swappers may unknowingly be sharing their computers as well as their favorite tunes.

Two new security vulnerabilities, disclosed late Wednesday, allow an attacker to completely take over a computer system by using malicious music files.

Story Tools

See also
MS Takes Hard Line on Security
Report: Net Not Getting Any Safer
List: Windows, Unix Still at Risk
Read more Technology news
Today's Top 5 Stories
Cities Say No to Federal Snooping
Bye Telemarketing, Hi More Spam?
Beware the Latest MP3 Worms
Peering Through Saturn's Gloom
Chair Wars: It's a Buyer's Market
The first vulnerability is present in the Microsoft Windows XP operating system. This vulnerability can be exploited when a user simply lets the cursor hover over the file icon for the malicious MP3, or opens a folder where the file is stored.

The second is found in Nullsoft's Winamp, a popular Windows media jukebox player.

Both vulnerabilities were discovered by security firm Foundstone, which made fixes immediately available. However, some users report difficulties locating the Winamp fix.

"The ubiquity of file-swapping services makes it the perfect attack vector for a malicious MP3 file," Foundstone CEO George Kurtz said. "That is why it is imperative to patch your systems immediately."

The Windows XP vulnerability, which Microsoft calls "Unchecked Buffer in Windows Shell Could Enable System Compromise," can be exploited through an MP3 or WMA audio file.

The malicious audio file can be placed on a website, sent in an e-mail or stored on a shared network drive.

Users do not need to click on, load or play the audio file to compromise their computers. If a user simply holds the mouse pointer over the icon for the malicious file, or opens the folder where the file is stored, the vulnerable code is activated, Kurtz said.

Once the malicious file's code has been activated, an attacker can gain complete remote control over the affected system, including creating, modifying or deleting data, reconfiguring the system, reformatting the hard drive or running programs of the attacker's choice.

Microsoft advised all users of Microsoft Windows XP to apply the patch immediately.

Microsoft has rated the Windows Shell vulnerability as "critical" under the company's new security rating system, which was instituted last month. Exploits ranked critical are particularly worrisome, as this ranking indicates an "automatic" vulnerability, one that can be activated without a user taking any action, such as clicking on an e-mail attachment.

The second vulnerability affects users of Winamp, a popular media jukebox player for Windows. Again, a malicious MP3 file allows an attacker to take control over an affected system.

The vulnerability is exploited using a long artist ID3v2 tag. If an MP3 with a malformed tag is loaded in Winamp version 2.81, a remote attacker can take over the system.

Foundstone also discovered a similar problem in Winamp 3.0. An attacker can create a malicious MP3 file with malformed ID3v2 tags which, when loaded on the Media Library window, can compromise the computer and allow for remote code execution.

Nullsoft has released fixed versions of Winamp 2.81 and Winamp 3.0. But as of late Wednesday, Nullsoft did not have an alert on its website advising users of the need to download the fixed versions.

Foundstone's alert advises Winamp 2.81 users to upgrade to Winamp 3.0 or re-download Winamp 2.81; the version now on Nullsoft's website has been fixed.

Users of Winamp 3.0 build No. 488 (built Dec. 15) are safe, but users of all other versions of Winamp 3.0 need to re-download the now-fixed version of Winamp 3.0. Users can find version information in the About Winamp3 dialog box.

Dec 19, 2002, 01:40 PM	#1
kinetic DriverHeaven Senior Member Join Date: May 2002 Location: Manchester England Posts: 2,559 Rep Power: 0	Beware MP3 Worms! Beware the Latest MP3 Worms By Michelle Delio \| 04:30 PM Dec. 18, 2002 PT Music file swappers may unknowingly be sharing their computers as well as their favorite tunes. Two new security vulnerabilities, disclosed late Wednesday, allow an attacker to completely take over a computer system by using malicious music files. Story Tools See also MS Takes Hard Line on Security Report: Net Not Getting Any Safer List: Windows, Unix Still at Risk Read more Technology news Today's Top 5 Stories Cities Say No to Federal Snooping Bye Telemarketing, Hi More Spam? Beware the Latest MP3 Worms Peering Through Saturn's Gloom Chair Wars: It's a Buyer's Market The first vulnerability is present in the Microsoft Windows XP operating system. This vulnerability can be exploited when a user simply lets the cursor hover over the file icon for the malicious MP3, or opens a folder where the file is stored. The second is found in Nullsoft's Winamp, a popular Windows media jukebox player. Both vulnerabilities were discovered by security firm Foundstone, which made fixes immediately available. However, some users report difficulties locating the Winamp fix. "The ubiquity of file-swapping services makes it the perfect attack vector for a malicious MP3 file," Foundstone CEO George Kurtz said. "That is why it is imperative to patch your systems immediately." The Windows XP vulnerability, which Microsoft calls "Unchecked Buffer in Windows Shell Could Enable System Compromise," can be exploited through an MP3 or WMA audio file. The malicious audio file can be placed on a website, sent in an e-mail or stored on a shared network drive. Users do not need to click on, load or play the audio file to compromise their computers. If a user simply holds the mouse pointer over the icon for the malicious file, or opens the folder where the file is stored, the vulnerable code is activated, Kurtz said. Once the malicious file's code has been activated, an attacker can gain complete remote control over the affected system, including creating, modifying or deleting data, reconfiguring the system, reformatting the hard drive or running programs of the attacker's choice. Microsoft advised all users of Microsoft Windows XP to apply the patch immediately. Microsoft has rated the Windows Shell vulnerability as "critical" under the company's new security rating system, which was instituted last month. Exploits ranked critical are particularly worrisome, as this ranking indicates an "automatic" vulnerability, one that can be activated without a user taking any action, such as clicking on an e-mail attachment. The second vulnerability affects users of Winamp, a popular media jukebox player for Windows. Again, a malicious MP3 file allows an attacker to take control over an affected system. The vulnerability is exploited using a long artist ID3v2 tag. If an MP3 with a malformed tag is loaded in Winamp version 2.81, a remote attacker can take over the system. Foundstone also discovered a similar problem in Winamp 3.0. An attacker can create a malicious MP3 file with malformed ID3v2 tags which, when loaded on the Media Library window, can compromise the computer and allow for remote code execution. Nullsoft has released fixed versions of Winamp 2.81 and Winamp 3.0. But as of late Wednesday, Nullsoft did not have an alert on its website advising users of the need to download the fixed versions. Foundstone's alert advises Winamp 2.81 users to upgrade to Winamp 3.0 or re-download Winamp 2.81; the version now on Nullsoft's website has been fixed. Users of Winamp 3.0 build No. 488 (built Dec. 15) are safe, but users of all other versions of Winamp 3.0 need to re-download the now-fixed version of Winamp 3.0. Users can find version information in the About Winamp3 dialog box.