Internet security consultants Foundstone Research Labs has issued a 'critical' warning that the popular MP3 and WMA digital music formats can be used to attack users of Windows XP and Nullsoft's Winamp because of buffer overflow vulnerabilities in the way those file formats are handled.
confirmed the hole in its 72nd security bulletin and urged users of the Windows XP operating system to
immediately apply a patch.
Foundstone tagged its highest warning label on the vulnerability, warning that it is very easy to exploit. "The MP3 does not need to be played, it simply needs to be stored in a folder that is browsed to, such as an MP3 download folder, the desktop, or a NetBIOS share. This vulnerability is also exploitable via Internet Explorer by loading a malicious web site. Microsoft's WMA files also suffer from a similar vulnerability," the company warned.
It said the vulnerability can be exploited to allow an intruder to take complete control over a user's machine. In Windows XP, Foundstone said malicious code can be shuttled through the hole when a user simply hovers a cursor hover over the file icon for the offending MP3 file or opens a folder where the file is stored.
If a user's system is compromised, Foundstone said an attacker would get complete control of the PC to run tasks like creating, modifying, deleting information or even reconfiguring the entire system, reformatting the hard drive or executing other harmful programs.
"Upon folder access, Explorer would execute the code contained within the file attributes. The code could do anything from running a reverse shell to infecting other MP3 files on the computer."
The security firm said users of Windows 2000 or other non-Windows XP operating systems were unaffected, noting that even MP3's with corrupt attributes will play fine on those operating systems with most players.
It also found two additional attack vectors for CP users via a web browser as well as the Microsoft Outlook e-mail client. In those scenarios, a malicious website could contain an IFRAME of a NetBIOS share that holds a malicious MP3 file.
"Similarly, an email could be sent to an Outlook user containing HTML that references the NetBIOS share. "Depending on Outlook security settings and preferences, this attack may not be directly exploitable via an email message. However, if the user browses to a malicious web site with Internet Explorer directly, the attack will work regardless of the Internet Explorer security settings," Foundstone warned.
The flaw comes at a crucial time for the Microsoft, which is aggressively moving to position the XP operation system as a digital entertainment hub for end users. Just this week, the company rolled out the Plus Digital Media Edition and final versions of the popular MovieMaker and Windows Media Player (WMP) software, products that support MP3 and WMA file formats.
Foundstone also warned that Nullsoft's Winamp media player, which is owned by AOL
, also contained the bug. "One buffer overflow
exists in Winamp 2.81 (latest 2.x release) and two buffer overflows exist in
Winamp 3.0 (latest 3.x release)," Foundstone said, urging users of the
popular media player to download fixes urgently.
Both Winamp versions 2.81 and 3.0 are vulnerable, the company said. If a long Artist ID3v2 tag is present within an MP3, Winamp 2.81 will crash yielding privileges immediately upon loading the MP3. In the newest version 3.0, there are two media library overflows. If an MP3 is loaded into Winamp 3.0 that has an ID3v2 tag, the Artist and Album fields of the ID3v2 tag are displayed within the Media Library window of Winamp3, the company said.
An attacker could create a malicious MP3 file, that if loaded via the Media Library window, would compromise the system and allow for remote code execution," Foundstone said, noting that an attacker could create a malicious MP3 file that exploits either the overflow of the Artist ID3v2 tag or the Album ID3v2 tag (or both). "For either overflow to occur, the user has to attempt to load the MP3 file from the Media Library by at least single clicking on either the MP3 via the Artist or Album window."
Like Microsoft, Nullsoft confirmed the flaws and released fixes for both versions of its Winamp software.
The specter of using digital music files as hacking tools raised eyebrows in the peer-to-peer space, especially with the controversial plan by the Recording Industry Association of America (RIAA) to legally target file-sharers in its fight against music piracy.
In September, a House Judiciary subcommittee held a raucus hearing on the controversial anti-piracy file sharing bill which would give the RIAA legal powers to hack into a user's PC to find copyright-protected digital music files.
The bill was sponsored by Reps. Howard Berman (D-Calif.), and Howard Coble (R-N.C.), Lamar Smith (R-TX), and Robert Wexler (D-FL).