A glitch with the popular Winamp software for playing digital music files could allow an attacker to embed malicious code into an MP3 file, potentially damaging the user's PC and infecting other MP3s.
Nullsoft, which makes Winamp, has confirmed the vulnerability, which does not affect the newest version of the software. Version 2.80 of Winamp is available on NullSoft's Web site. The problem can also be fixed by disabling WinAmp's minibrowser.
The weakness is particularly dangerous because MP3 files are generally considered safe, and hundreds of thousands of users frequently trade them with unknown Internet users via file-swapping services such as Kazaa and Morpheus.
A bug in the code of Winamp 2.79 allows a specially formed data tag in an MP3 file to cause a buffer overrun in the application, which could be exploited to run any piece of code the attacker wishes. The glitch was posted to the BugTraq security mailing list on Friday by Andreas Sandblad, a Swedish engineering student.
The code can be embedded in the ID3v2 tag used by some MP3 files to carry information on a song track, such as artist, album and genre. When Winamp plays the track, it automatically tries to query the Winamp Web site using the information in the tag.
According to Sandblad, the buffer overflow occurs when the URL to be sent to the minibrowser is created, meaning that the exploit can be carried out even if an Internet connection isn't present. However, disabling the minibrowser prevents the attack.
Since the attacker can cause any code to be executed on the user's computer, a virus could potentially be spread by altering the ID3v2 tags of other MP3 files on the hard drive or networked drive, which could then be spread to other users.
The scope of the problem is relatively limited, though, according to Graham Cluley, senior technology consultant with Sophos Antivirus. "Lots of applications have vulnerabilities that can run potential exploits, but most virus writers don't have to be so clever -- they can just distribute a VBS file and give it a sexy name," he said.
He also noted that any such virus would only affect Winamp users, a small population compared with the numbers affected by, for example, Microsoft Outlook viruses.