Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

                    ESB-2004.0537 -- Security Bulletin
       Winamp Skin Vulnerability Allows Execution of Arbitrary Code
                              26 August 2004


        AusCERT Security Bulletin Summary

Product:                Winamp 5.04 and prior
Operating System:       Windows
Impact:                 Execute Arbitrary Code/Commands
Access:                 Remote/Unauthenticated


	Winamp is a multimedia application that plays many popular media 

	A critical vulnerability has been identified in Winamp's handling of
	Winamp skin zip files (.wsz), allowing a remote attacker to execute
	arbitrary code. 

	An XML document in the Winamp skin zip file can reference a HTML 
	document using the "browser" tag thus allowing it to execute arbitrary
	code in the "Local Computer" zone.


	Winamp 5.04 and prior are vulnerable.


	This vulnerability may be used by an attacker to execute arbitrary
	code on a user's system when the user visits a malicious web site or
	opens a malicious Winamp skin zip file. 

	Depending on the web browser used on the system, this vulnerability 
	may be exploited with minimal user interaction by simply visiting a
	malicious web site without explicitly running Winamp. 

	While not yet confirmed, it may be possible for this vulnerability to 
	be exploited through some email clients, depending upon the HTML 
	rendering engine used.

	Secunia has reported that this vulnerability is being actively 
	exploited in the wild. [1]

	No patch is currently available to fix this vulnerability.

	AusCERT recommends that administrators disable the association of 
	.wsz files within Windows, or use a different application to 
	replace Winamp until an updated version is available.


	[1] http://secunia.com/advisories/12381/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.

Comment: http://www.auscert.org.au/render.html?it=1967