-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-032A Winamp Playlist Buffer Overflow Original release date: February 1, 2006 Last revised: -- Source: US-CERT Systems Affected Microsoft Windows systems with Winamp 5.12 or earlier Overview America Online has released Winamp 5.13 to correct a buffer overflow vulnerability. Exploitation of this vulnerability could allow a remote attacker to execute arbitrary code with the privileges of the user. I. Description Winamp is a media player that is commonly used to play MP3 files. Winamp 5.13 resolves a buffer overflow vulnerability in how playlist files are handled. Details are available in the following Vulnerability Note: VU#604745 - Winamp fails to properly handle playlists with long computer names Winamp contains a buffer overflow vulnerability when processing a playlist that specifies a long computer name. This may allow a remote unauthenticated attacker to execute arbitrary code on a vulnerable system. II. Impact By convincing a user to open a specially crafted playlist file, a remote unauthenticated attacker may be able to execute arbitrary code with the privileges of the user. Winamp may open a playlist file without any user interaction as the result of viewing a web page or other HTML document. III. Solution Upgrade Upgrade to Winamp 5.13. Appendix A. References * US-CERT Vulnerability Note VU#604745 - * CVE-2006-0476 - * National Vulnerability Database (CVE-2006-0476) - * WINAMP.COM | Player | Version History - * WINAMP.COM | Player - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA06-032A Feedback VU#604745" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History Feb 1, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQ+EN2H0pj593lg50AQL/zQgAqqNNsBwOLdKKb+e98yUUPRSyj38BKA1G R4nBJ3mO85BvFFqS9NdcPSYH1DgELKhYwOoicEsbX0bmaF+lmr2ClHBO4af6fA3/ bhLksKmf5qtm61SSIuEVyBsXsDwSFQpLACOAkgarW5D5Ii4bW3CDlc9H/4dHYT3j jiGMSVBmYWGjyEMEVznZ1liURyK6BpVHGQI0bf2/dhSk3150LJzwa0vACjnCJEeB 0Fs/s7xkAPoGDT4PxWxe/KEK03PZpJY6yZhCP6IayJsuO7kMQhzBoROK615X/Od5 ctU6qLPx8VIcyW7b9xVMl0OuZf7R412qd74bmnDfIYeGexxuLMifFg== =NZIe -----END PGP SIGNATURE-----