WinAmp contains a flaw which may allow an attacker to crash WinAmp remotely via
Nullsoft's WinAmp Player, a popular multimedia system for Microsoft Windows, contains a flaw in the handling of the metadata (called "tags") contained within
.mp4 files. Invalid data within these files could crash WinAmp.
WinAmp is susceptible to a remote Denial of Service flaw if maliciously crafted
.mpa files are loaded. This flaw could cause WinAmp to unexpectedly crash. Also, the flaw may be exploited in combination with the default setting for some web browsers to automatically open WinAmp playlist (
.m3u) files without prompting. A malicious playlist, with pointers to remote files on the Internet, may be embedded in a web page specifically crafted to automatically load the playlist. As such, a user may unintentionally load a flawed
.mp4 file by following an innocuous web link.
WinAmp may crash, resulting in a denial of service to the user running it.
Apply an update
This flaw has been corrected in WinAmp version 5.08c and later. Download and install the latest version from:
Do not open
.mpa, .mp4, .pls or
.m3u files automatically with WinAmp in your web browser.
Do not open unknown
.mpa, .mp4, .pls or
Of course, these recommendations always apply to any unknown files and file types. It is also always advised for all users to ensure their browser will prompt for the desired action (Save, Cancel, Open) with all filetypes that may load remote data, such as WinAmp
.m3u playlist file types.
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Notified: January 13, 2005 Updated: February 21, 2005
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Updates which address this flaw may be found at the Nullsoft WinAmp web page.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Group | Score | Vector
Base | |
Temporal | |
Environmental | |
This document was written by Ken MacInnis.
CVE IDs: | None
Severity Metric: | 2.03
Date Public: | 2004-12-22
Date First Published: | 2005-02-21
Date Last Updated: | 2005-02-21 21:21 UTC
Document Revision: | 21