A critical flaw was discovered in the popular media player Nullsoft Winamp version 5.12. This flaw is a Zero-Day vulnerability, which means that currently there is no patch available that fixes the problem.

This flaw is due to a buffer overflow error when processing a specially crafted playlist (”.pls” file) containing a malformed “File1″ tag, which could be exploited by remote attackers to execute arbitrary commands and take complete control of an affected system without any user-interaction via a specially crafted web page.

French Security Incident Response Team published a proof of concept of the PLS File Handling Remote Buffer Overflow.

Update: The guys at Winamp put out a quick fix for this flaw. Until a new version of Winamp is out you can use this patch

Digg this story ?