Nullsoft, a division of AOL Time Warner that makes Winamp, has confirmed the vulnerability in an older release of the software. The glitch does not affect the newest version, 2.80, which was released last week. In the older version, the problem can be fixed by disabling Winamp's mini-browser.
The weakness is particularly dangerous because MP3 files are generally considered safe, and hundreds of thousands of people frequently trade them with unknown Internet users via file-swapping services such as Kazaa and Morpheus.
A bug in the code of Winamp 2.79 allows a specially formed data tag in an MP3 file to cause a buffer overrun in the application, which could be exploited to run any piece of code the attacker wishes. The glitch was posted to the Bugtraq security mailing list Friday by Andreas Sandblad, a Swedish engineering student.
The code can be embedded in the ID3v2 tag used by some MP3 files to carry information on a song track, such as artist, album and genre. When Winamp plays the track, it automatically tries to query the Winamp Web site using the information in the tag.
According to Sandblad, the buffer overflow occurs when the URL to be sent to the mini-browser is created, meaning that the exploit can be carried out even if an Internet connection isn't present. However, disabling the mini-browser prevents the attack.
Since the attacker can cause any code to be executed on the user's computer, a virus could potentially be spread by altering the ID3v2 tags of other MP3 files on the hard drive or networked drive, which could then be spread to other people.
The scope of the problem is relatively limited, though, according to Graham Cluley, senior technology consultant with Sophos Antivirus. "Lots of applications have vulnerabilities that can run potential exploits, but most virus writers don't have to be so clever--they can just distribute a VBS file and give it a sexy name," he said.
He also noted that any such virus would only affect Winamp users, a small population compared with the numbers affected by, for example, Microsoft Outlook viruses.
ZDNet U.K.'s Matthew Broersma reported from London.