MP3 and WMA music file flaws could threaten music traders

I just posted the article MP3 and WMA music file flaws could threaten music traders.

chsbiking points to an article over at the News.com website. Yesterday a security firm warned that people using Windows XP or WinAmp could fall prey to a vulnerability, enabling a modified music…

Read the full article here:  [http://www.cdfreaks.com/news/5108-MP3-and-WMA-music-file-flaws-could-threaten-music-traders.html](http://www.cdfreaks.com/news/5108-MP3-and-WMA-music-file-flaws-could-threaten-music-traders.html)

Feel free to add your comments below. 

Please note that the reactions from the complete site will be synched below.

quote: ‘The vulnerability does not affect the Windows Media Player’ which one? I am using 6.4. Microsoft is not precise here ‘the music industry are already eyeing such tactics as a way to stop file swappers from trading copyrighted music in the future.’ why invent such crap? it’s illegal. simply illegal. so they won’t do it. why the hell do they write such nonsense? It’s illegal to take over other people’s computers, it’s illegal to execute undocumented and malicious code. no matter for what reason. So they won’t do it (think of the compensations they would have to pay if they used a virus and broke computers - a hacker can hide, but big music firms can’t). So the question is why news.com writes such crap more info: good browsers: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-072.asp for bad browsers and hidden http_agent: http://www.microsoft.com/technet/security/bulletin/MS02-072.asp?frame=true

Not to fear, simply download lame. Decode all your MP3’s to wav’s, then convert them back to MP3’s and retag. This should remove the attack.

Ok, I urge everyone to download the patches. But there is a chance you can pass these MP3’s onto other users on the network if you don’t take the attack out of the file. So if you wish I have written a little VB program that should clean an MP3 file. It even does a whole folder at a time. I wrote the TAG library that comes with it, it’s public domain, anyone is free to use it. It contains source so you can be sure there’s no viruses, then compile yourself if you wish. But an EXE is included. http://orbnet.netfirms.com/mp3clean.zip

Oh one more thing. I don’t advise using that on MP3’s you’ve already downloaded. Just one the ones you download from now on. Cause you may have to retag some MP3’s after using. I don’t want anyone retagging their whole collection.

What versions of WinAmp does it affect?

http://slashdot.org/articles/02/12/19/1329243.shtml?tid=128 This /. article has more information on this vulnerability.

Is this even possible? A while ago I gave news about rumoured MP3 viruses, and it was mocked. Now everyone is afraid.? I think Domi himself (or it could’ve been Tax) said that viruses can’t be made in MP3’s since they are not executable.

I just read the article, I realize its not a virus in the music file, just a trick with the filename. If you have a buffer overflow in Win Explorer, the attacker would still need to use a separate attack to gain control of your computer, am I correct? The overflow would just make it easier for them.

It’s not in the music, and it’s not in the file name either. It’s in the TAG information inside the file that keeps track of artist. title album. The year it was made. All that crap that actually comes before the MP3 Data.

if its just a ID3 tag shouldn’t be very hard to flag. even P2P networks probably can filter them out.