Winamp has just released their 5.12 version last December 9, 2005, and now a new exploit for the new version is out. FR-SIRT already released and advisory(as well as the PoC) and yes, it works. As described in the attack vector: “make a html page containing an iframe linking to the .pls file.”
The author also released a link to a site which utilized the iframe, and here are some notes:
- On visiting the link via FireFox, a dialog box asks you whether you want to download, or open the file.
- On IE, however, the PoC is automatically executed without any warning.
I therefore conclude, if you have the vulnerable version of Winamp (and no patched version yet), use FireFox when browsing the web. No reports of this ITW yet.