From alerts@us-cert.gov Wed Feb  1 15:19:02 2006
From: US-CERT Alerts <alerts@us-cert.gov>
To: alerts@us-cert.gov
Date: Wed, 1 Feb 2006 15:01:52 -0500
Subject: US-CERT Cyber Security Alert SA06-032A -- Winamp Playlist Vulnerability 


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                     National Cyber Alert System

                   Cyber Security Alert SA06-032A


Winamp Playlist Vulnerability

   Original release date: February 1, 2006
   Last revised: --
   Source: US-CERT


Systems Affected

     * Microsoft Windows systems that have Winamp installed.


Overview

     Winamp, a popular media player, has a vulnerability that could
     allow an attacker to take control of your system. Upgrading to the
     latest version of Winamp will take care of this vulnerability.


Solution

Install an Update

     You can download and install Winamp 5.13 to avoid the
     vulnerability.


Description

     A vulnerability in Winamp 5.12, and possibly in earlier versions,
     allows an attacker to run malicious code on your system when you
     open a playlist file. This malicious code could also be embedded in
     a web page, and could execute, without your knowledge, when you
     visit a malicious web page or open an HTML document.

     For more technical information, see US-CERT Technical Alert
     TA06-032A.


References

     * Winamp Version History -
       <http://www.winamp.com/player/version_history.php>

     * US-CERT Technical Cyber Security Alert TA06-032A -
       <http://www.us-cert.gov/cas/techalerts/TA06-032.html>

     * US-CERT Vulnerability Note VU#604745 -
       <http://www.kb.cert.org/vuls/id/604745>


  ____________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/alerts/SA06-032A.html>
 ____________________________________________________________________

   Feedback can be directed to US-CERT. Please send email to
   <cert@cert.org> with "SA06-032A Feedback VU#604745" in the subject.
 ____________________________________________________________________

   Mailing list information:

     <http://www.us-cert.gov/cas/>
 ____________________________________________________________________

   Produced 2006 by US-CERT, a government organization.

   Terms of use:

     <http://www.us-cert.gov/legal.html>
 ____________________________________________________________________


Revision History

  February 5, 2006: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQ+EKhH0pj593lg50AQLm3wf/YZpaQzu0RtyGXXE0WeR5PQoHvXHovqQr
wa440DvxTHCclN0BqQHvaI5KlOTKKCgw1Dh0w18AtR6YeJGDmoKt3hZumrC9K0tI
qUIAP2p007ow5cRp5sKfrF1vfA3/t0CVoBXBS8UURsGZt5fwAoTHN0uU18pE5rem
3Y35KNFqu/3f9wApvQyAHhmulD9L43sigZtM00z5RCmKEHD/6I5KbGm+vPicuLYF
/ns/ieYactohUvstIYRsb2e0QVXR3iqf3eIX88USu+TAeXLBI1fZj+fSY8yPQrYz
f809aIMeJBsfscLGI0yoNiIXpX1P3DFQe13I/voBCLUWGeNkVy0PRA==
=sHdO
-----END PGP SIGNATURE-----