| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 30 Jan 2006 14:20:37 -0500 (EST) From: Chris Wysopal <weld@...nwatch.org> To: bugtraq@...urityfocus.com Cc: Process <processtree@...tonfire.org> Subject: Re: Winamp 5.12 - 0day exploit - code execution through playlist You can disable auto launching Winamp for playlist files as a workaround. For Firefox, go to Tools / Options settings, click on Download icon, then click on View & Edit Actions... Scroll down to M3U extension and then push the Remove Action button. Firefox will no longer automatically launch firefox for Winamp playlist files. It is a good idea in general for attack surface reduction to trim down the View & Edit actions to just the ones you need. Do you really need AIFF and AU autolaunching for instance? What about all those Quicktime and Acrobat formats? Looks like a lot of unnecessary attack surface to me. For IE you need to disable the file type in Windows Explorer. Go to Tools / Folder Options / File Types. Scroll down to the file extension you want to change. In this case its M3U. Check Confirm after download. You will be prompted to launch WinAmp if a M3U file is downloaded. You can remove the file type completely but that will also remove the ability to double-click to launch playlists from the Windows shell. You may want to go through this list and check confirm after download for many file types. It would be nice if more vendors installed their file types with this option in place. -Chris
Powered by blists - more mailing lists