we received since July 22nd several reports from users who were hacked after visiting
several websites. This 0day attack had been used to spread spyware and trojans,
infecting patched computers.
Investigations showed the existance of a new and unpublished flaw/exploit in the winamp
skin files handling.
take a look at the code/exploit :
Secunia advisory : http://secunia.com/advisories/12381/
Thor Larholm -> When a user visits a website that hosts the Skinhead exploit their
browser is redirected to a compressed Winamp Skin file which has a WSZ file extension
but which in reality is a ZIP file. The default installation of Winamp registers
the WSZ file extension and includes an EditFlags value with the bitflag
00000100 which instructs Windows and Internet Explorer to automatically open these
files when encountered. Because of this EditFlags value the fake Winamp skin
is automatically loaded into Winamp which in turn open the "skin.xml" file inside
the WSZ file. This skin.xml file references several include files such as "includes.xml",
"player.xml" and "player-normal.xml", the latter of which opens an HTML
file in Winamp's builtin webbrowser.
The HTML file that is opened exploits the traditional codeBase command execution vulnerability
in Internet Explorer to execute "calc.exe" at which time the user is
K-OTik.COM Security Survey Team
Don't use winamp until this is fixed.