Hackers have crafted an exploit based on an unpatched vulnerability in Winamp, the popular media player package.

Security bugs within Winamp's MP4 decoding allow miscreants to slip malware onto the PCs of users running Winamp version 5.34.

The vulnerability has been coded into a script kiddie friendly exploit, however a number of mitigating factors make attacks based on the flaw difficult to carry out.

"After install Winamp is associated with .MP4 files. However, Winamp does not open .MP4 files embedded within websites," the SANS Institutes's Internet Storm Centre notes.

Miscreants would have to trick users into attempting to play a maliciously constructed MP4 file using Winamp for the trick to be successful. Users are advised to remove the association between .MP4 files and Winamp as a workaround until a vendor supplied patch is available. ®

Related stories

• Winamp blighted by bug brace (21 January 2008)
• IE + RealPlayer = Security hole (20 October 2007)
• Apple patches security hole in QuickTime (2 May 2007)
• Updated QuickTime, not Safari, to blame for MacBook vuln (25 April 2007)
• Safari zero-day exploit nets $10,000 prize (20 April 2007)
• Microsoft zero-days said to target Office and Windows (11 April 2007)
• Britney fears used as ANI exploit lure (5 April 2007)
• MySpace-hosted malware exploits QuickTime flaw (16 March 2007)
• Interview The rise of zero-day patches (2 March 2007)
• Winamp exploit poses hacker risk (31 January 2006)