back to article Winamp mends trio of old-school security holes

An update to Winamp closes a terrible trio of critical security holes in the popular media player application. The rather old-school vulnerabilities involve a brace of integer overflow cockups in the in_avi.dll plug-in and a heap-based buffer overflow vulnerability in the in_mod.dll plug-in library. All three flaws create a …


This topic is closed for new posts.
  1. AndrueC Silver badge

    I'd forgotten Winamp even existed. Nice to see the old favourites still around.

    (Winamp that is, not the poor programming).

    1. Inachu

      I m iss the old winamp

      I prefer the way winamp offered its services when 5 first came out.

      Now the streaming video is so tied down I can not get what I am looking for at all.

      Because of that I hope winamp bites the big one.

  2. Ogi

    Does anybody actually use winamp anymore?

    I used to use it back in the day before it got bought by AOL, but once AOL got hold of it (and all the original authors resigned) it just went downhill so fast... Coincided with my final push to be linux-only so went to xmms (which was essentially a winamp 2 clone).

    I remember AOL being really slow to fix bugs, but really fast to add new ways of sticking adverts or bundling crap with winamp. Such a shame... (I liked the winamp 5 media library, and the skinning opportunities, and the whole skinning ecosystem around it)

    The nullsoft shoutcast streaming server is still popular though, despite not being updated in years. Includes some iffy overflow bugs that AOL hasn't fixed since they took it over, resulting in some of my fave net radio stations going offline randomly until someone kicks the streaming server.

    Why does whatever AOL touch turn to crap. It's like the reverse-midas touch...

    1. Craig Chambers

      Still a great media player IMO

      I'm the last to approve of AOL, but my experience of Winamp is far better than that of certain apple shaped media software.

      I'm all Linux at home, and am resigned to using iTunes lookalikes (Banshee, Rhythmbox) since I found XMMS2 a pain to find, then set-up on recent versions of Ubuntu and XMMS3 was just not very user-friendly (for my wife).

      I still like and use Winamp on Windows machines at work. Their best feature IMO has always been sorting how I want it (Sort by > Path & Filename), but their playlist features are also great. I use it to create playlists for use on my phones, and their support of varied formats is also good. When I re-encoded music to the excellent he-aacv2 format for playback on my phones back in 2007, Winamp was the only player that supported the format.

      As for support, once I got my recent defect noticed, it was fixed in what I would call reasonable time and is in the latest version... [aacdec] Detection of parametric stereo for AAC files made with older encoders.

      1. James Le Cuirot


        Are you from the future?

        I like XMMS2 but I'm strange like that.

        1. Craig Chambers

          Oops, subtract one from each of the numbers above! :-)

      2. joejack
        Thumb Up

        qmmp on Linux is much nicer than xmms, and supports winamp skins. Great hotkey support, too. From nautilus, I just right-click and enqueue to qmmp, or play with qmmp. Google around and you can find how to replace banshee as the default player.

        But yeah, if I'm on win7 I still use winamp. I don't install video or modern skins or a lot of the other crap. Stays out of the way, low footprint, syncs playlists to portables, good hotkey support, great for ripping/reencoding, all the old plugins still work (control from wireless joystick), and I'm using a vis from 1995. I've never seen the adverts ppl are complaining about, but then I don't care about their media browser.

        1. Ammaross Danan

          Still Good

          joejack: "But yeah, if I'm on win7 I still use winamp. I don't install video or modern skins or a lot of the other crap. Stays out of the way, low footprint, syncs playlists to portables, good hotkey support, great for ripping/reencoding, all the old plugins still work"

          Which is exactly why I still use it. Global Hotkeys work great, even in full-screen ancient apps (think Diablo 2). The thing to love is startup time, low CPU use, and next to no memory footprint. Compare this vs Windows Media Player, RealPlayer, or (ugh) iTunes (to name a popular trio) and you feel better about running old-school.

    2. The Fuzzy Wotnot

      Yep, use it on my Android mobile. Not stunning but does the job quite nicely and handles M3U playlists properly unlike the free, supplied music player.

    3. Mark Allen
      Thumb Up

      No Adverts...

      It is easy to install Winamp without the adverts. Most of them are just in the installer. And then a little bit of tweaking in the player kills off some of the "more info" features. AOL has not got their claws into this one - still plenty of independence with the devs (I am also not an AOL fan)

      Still a great little player. Can't find anything else to support so many different formats, and none of that iTunes bloat. (Or the SHOP it is all based around...)

      And isn't this "news" from El'Reg a little old? This release has been out since June!!

    4. Mark Allen

      ahh... weird thread...

      Replying to my own post that is still in moderation... My mistake. I didn't realise that the thread linked by El'Reg had updates tagged on the end of it. So ignore my rubbish about the "June Release". (Even better would be if a mod could just delete my last sentence above there)

      Winamp still rules though!! Nothing is as organised for a big music collection.

  3. Anonymous Coward
    Anonymous Coward


    I have to support Winamp on one last PC. Let's see: The main website still shows the buggy version, yay redo. Auto-update within the application is non-existent. I think I will just remove it from that last PC and act all surprised if the user actually notices.

  4. EddieD

    Is the installer still stuck in 1999?

    If I'm upgrading, I expect the installer to look at my current preferences, and use them, something that winamp seems extremely reluctant to do - it appears to be waiting for me to get careless, so that it can usurp all my audio associations - which last time took me a while to sort out...

    1. Mark Allen


      Are you sure you are not confused with something else? The Winamp installer upgrades old versions fine, keeping all my weird settings on different PCs. Have to skip the AOL crud, but that is easy (especially when every other installer now tries to trick you into installing toolbars...)

      1. EddieD

        Ok, let's see...

        Choose install components, choose languages, choose skin, choose associations...

        And then, when I click finish, a User Account Control window appears....

        Then, sending in user information...

        Leave things as they were guys...nothing else...

  5. rpjs


    How quaint.

  6. Panix

    I <3 Winamp

    I've never bothered to find another media player. I hate using WMP. When I got an iPod a few years ago, I didn't want to use iTunes because it has more bloat. After playing with a few programs, I found Winamp had the capability of adding music and movies. I usually just do the minimum install possible so I don't get all the crap on my Desktop. Milkdrop is awesome for certain situations.

    Although, when watching TV episodes, Winamp likes to move from Full Screen back to Windowed mode once one file ends and another starts. I'm forced to use WMP if I want to watch a season of Squidbillies. :\

    1. Tim Walker

      I still use XMMS...

      Yes, I know it hasn't been developed in years, but I needed a lightweight graphical audio player for my Arch Linux-powered Eee 701SD netbook. At least I could find my way around XMMS, the interface works just fine on an 800x480 screen, and there's a wide range of plugins, scripts and add-ons (e.g. player controls for GKrellM) for XMMS.

      Nowt wrong with being "old-skool" in one's tastes... unless your beloved program has security holes you could drive a bus through, naturally ;-)

      1. James Le Cuirot

        Please let XMMS die

        Use Audacious instead. Same look and still lightweight but less bit rot.

        1. Anonymous Coward
          Anonymous Coward

          What about VLC media player?

          Or does that just make me sad?

          1. Hollerith 1

            VLC rools

            I just gave up on WinAmp -- went to get the latest version after being nagged to death to do it by NullSoft, only to find it crammed with so many unwanted extras that I deleted within an hour. Fetched down the latest VLC, for old times sake, and find it takes Winamp's place perfectly. The only thing I hate is the little bubble from the status bar popping up when a new track comes on. I thought I'd sorted that, but it's back.

  7. Anonymous Coward
    Anonymous Coward


    "The rather old-school vulnerabilities involve a brace of integer overflow cockups in the in_avi.dll plug-in and a heap-based buffer overflow vulnerability in the in_mod.dll plug-in library."

    So, the problem was with DLLs was it? In other words a problem on Windows platforms... ever so secure, aren't they?

    1. Dave Murray

      No the problem was integer & buffer overflows which just happen to be in the dlls. Nothing to do with Windows and everything to do with bad coding by the Winamp devs.

      Your platform of choice has it's own version of dlls which are no more or less secure. Libraries are libraries and we all need them.

      1. Anonymous Coward
        Anonymous Coward

        Well ...

        ... on my system the media player uses system libraries, rather than installing its own. That does reduce the potential for error somewhat.

        It also allows for things like command line conversion. On windows ... install yet another app with its own brace of holes.

  8. Tom 38

    Winamp 3/5 is fail

    I still use Winamp 2.95 (installer size 2.4MB) rather than any of the 5 series (installer size 15.7MB).

    1. BenDwire Silver badge

      Unless you install Winamp Lite ...

      Which is hidden at the bottom of the download page, and is a less bloaty 7.8M

  9. CADmonkey
    Thumb Up

    sucks less balls than itunes

    I've paid the $20 or whatever years and years ago and, apart from a few video codecs that it only pretends it knows what to do with, it has stood the test of time for me at least. Excellent media library, converts files, rips to FLAC & mp3, ipod support, etc. not to mention the most consistantly trippy plug-ins.

    Cold boot windows, right click a folder in explorer, play in Winamp: >7k tunes load and play in seconds. Try that with itunes or WMP. It can even make a half-decent go at randomising a playlist instead of just the lame 'shuffle' play option. (all are lame IMO if you have 'too many' tunes)

    PS: Anyone that installs anything by fast-clicking next next next deserves everything they get.

  10. Big Al

    Stopped using Winamp...

    ... when adverts that wouldn't display for my geographic area stopped me using it to listen to the radio!

    Been happily using Foobar since - which explains the icon choice. ;)

  11. easyk

    it works fine

    Initial release April 21, 1997 and I suspect it has another 5 - 10 years in it. It does what it does well enough. Though I don't let it connect to the internet and only use it to play music files off the NAS.

  12. Richard Armstrong

    Gotta love the visualisations

    .....haven't found anything better IMHO

    1. Captain Scarlet

      Actually there was

      Sonique (For out of the box vizualisations), which sort of died when Lycos purchased it.

      This was some 10 years ago though!

  13. Figgus

    Winamp > Windows Media player because it lacks the overly intrusive DRM. WMP will actually delete files if it thinks you don't own the rights to them!!!

  14. Anonymous Coward
    Anonymous Coward


    Winamp refugees, try Songbird.

  15. DJGM

    Winamp? Naaahhh!

    Sonique v1.96 FTW! Hangs occasionally, but still mostly works, even on W7.

    Not bad for a program that'll be 10 years old next March!

    (Even works on Linux with WINE.)

  16. Paul 98

    I still use Winamp and love it. But does anyone remember Sonique?

  17. ShiSh

    sonique was beautiful, though I've always been a Winamp user, probably since 1998 or so. I still install it now for the reasons mentioned above - the small footprint is what I want from a music player, that's all I'm doing with it.

    How about kjofol? Another player from the same era but with a more ugly interface!

This topic is closed for new posts.