An update to Winamp closes a terrible trio of critical security holes in the popular media player application.

The rather old-school vulnerabilities involve a brace of integer overflow cockups in the in_avi.dll plug-in and a heap-based buffer overflow vulnerability in the in_mod.dll plug-in library. All three flaws create a means to inject hostile code into systems running vulnerable versions of the software, which is developed by Nullsoft, a division of AOL Music. Exploits would involve tricking victims into attempting to play malformed media files.

Users are advised to upgrade to version 5.623 of Winamp media player for Windows, as explained in an advisory by security notification firm Secunia here. More details can be found in a post on Winamp's forums here. ®

Related stories

• Indy devs to AOL: Save Winamp, or at least make it open source (26 November 2013)

  https://www.theregister.com/2013/11/26/petition_to_save_winamp/

• Winamp is still a thing? NOPE: It'll be silenced forever in December (20 November 2013)

  https://www.theregister.com/2013/11/20/winamp_to_disappear/

• A simple HTML tag will crash 64-bit Windows 7 (21 December 2011)

  https://www.theregister.com/2011/12/21/win_7_bug_crash_risk/

• Winamp advises forum password reset after mystery hack (16 February 2011)

  https://www.theregister.com/2011/02/16/winamp_forum_hack_password_reset/

• Winamp plug-in backdoor wide open to viral penetration (1 December 2010)

  https://www.theregister.com/2010/12/01/winamp_security_update/

• WinAmp update fades out critical media player flaws (21 December 2009)

  https://www.theregister.com/2009/12/21/winamp_update/