Only quite recently, a friend of mine told me quite enthusiastically, how he still uses Winamp2 as his media player. More specifically, version 2.95.
Now, I haven't used Winamp in ages. I don't know how it compares to things like Foobar 2k, etc, I'm not a Windows user, I have no idea, really.
Just yesterday, I decided to download an old Winamp version, and install it in one of my Windows VMs. In the process I learned that Winamp doesn't really exist anymore, the website seems to be in some sort of permanent maintenance mode.
What's really interesting to me, is that it actually works. I had to install decoder DLLs from various dubious places to make it decode things like MP4 AAC, FLAC, and I think I've also installed an Ogg/Vorbis decoder.
Just for defecation and laughter, I tried to install an Opus decoder, but there doesn't seem to exist any. I seem to remember there used to be quite a community making plugins for it. Is it still possible to make plugins for Winamp2? Theoretically, the Application just loads a bunch of DLLs, and uses the functions implemented there to demux containers and decode streams, the actual Winamp executable doesn't seem to be doing much itself.
A quick search didn't turn up tutorials or examples how to make them. I imagine it's just compiling as shared libraries, but I couldn't really find anything to start with.
Can someone maybe help me out a little?
Let me pre-empt the obvious why question: No reason. I just thing it would be funny having this ancient player handle modern file formats. There seems to be quite a devote Winamp user community. I guess it's a bit like running DOS on older computers, just for the sake of doing it.
Just for defecation and laughter, I tried to install an Opus decoder, but there doesn't seem to exist any.
http://forums.winamp.com/showpost.php?p=30...p;postcount=418 (http://forums.winamp.com/showpost.php?p=3024589&postcount=418) (click on "Opus Audio Codec plugins") I'm not sure that it's compatible with WA 2.x though.
Is it still possible to make plugins for Winamp2? Theoretically, the Application just loads a bunch of DLLs, and uses the functions implemented there to demux containers and decode streams, the actual Winamp executable doesn't seem to be doing much itself.
A quick search didn't turn up tutorials or examples how to make them. I imagine it's just compiling as shared libraries, but I couldn't really find anything to start with.
Can someone maybe help me out a little?
Winamp Development Forum: http://forums.winamp.com/forumdisplay.php?f=14 (http://forums.winamp.com/forumdisplay.php?f=14)
Winamp Developer Wiki (via archive.org): http://wayback.archive.org/web/20130415055...ic_Plugin_Guide (http://wayback.archive.org/web/20130415055127/http://wiki.winamp.com/wiki/Beginner's_Basic_Plugin_Guide)
I still use Winamp 2.95 to listen to HTTP audio streams in MP3 or AAC format (ShoutCast). I have updated the MP3 plugin with one taken from an earlier 5.x version (version reads 3.08). That might or might not have been necessary to listen to AAC streams. I also use it to fix ID3v1 tags in MP3 files to make them as complete as possible, after I finished tagging with Foobar (APEv2+ID3). I limit the lengths of the fields intelligently, instead of allowing titles to end mid-word, and substitute Unicode symbols. (But I'm moving on to Ogg Vorbis and will soon stop bothering with this.)
Old Winamp works just as it did years ago. Biggest issues with it are no Unicode support, and no ReplayGain except if every input plugin implements it. The Vorbis plugin can show special symbols in the tag viewer, but not in the playlist editor. If you never listen to music abroad, and don't feel like spelling artist names with reversed letters, and so on, Unicode might not be an issue.
Both key issues have been resolved in Winamp 5, which is a decent player for casual users who have learned the Winamp's interface (mom and pop). I recall it took quite a few versions for Winam to show Unicode on the taskbar button / window title...
I tried installing the Opus plugin (whose size is comparable to Winamp itself because it includes SSL and a huge picture in the plugin's about box), which failed. The opus file type didn't appear among the list of supported types, nor is the plugin visible in settings.
Plugins for TAK (http://thbeck.de/Tak/Tak.html#Links_TAK), FLAC 1.2.x (24-bit) (https://sourceforge.net/projects/flac/files/flac-win/flac-1.2.1-win/), WavPack (http://www.wavpack.com/downloads.html), do exist for Winamp 2. Vorbis is included in the package. AFAIK, MPC SV8 and Opus don't work.
I would recommend against running legacy software on a PC with any sort of connection to the outside world.
There are several critical security vulnerabilities in 2.95 which allow attackers to execute arbitrary code. I didn't look into this in-depth but it seems there are a number of different attack vectors as well (e.g., you can't say you're on the safe side just because you encode all your media files yourself).
Contrary to popular belief, an antivirus doesn't sufficiently protect you against attacks. In fact, it's probably more important to super-regularly patch your software.
EDIT: Of course, running Winamp in a VM as the OP did is much preferable over running it on a host directly. I still don't think it's particularly safe.
I would recommend against running legacy software on a PC with any sort of connection to the outside world.
There are several critical security vulnerabilities in 2.95 which allow attackers to execute arbitrary code. I didn't look into this in-depth but it seems there are a number of different attack vectors as well (e.g., you can't say you're on the safe side just because you encode all your media files yourself).
Do you mean
http://www.cvedetails.com/vulnerability-li...inamp-2.95.html (http://www.cvedetails.com/vulnerability-list/vendor_id-267/product_id-638/version_id-34733/Nullsoft-Winamp-2.95.html) ?
The security vulnerabilities require recrafting the bistream to invalid values, which in pretty much all cases will lead to crash Winamp, which isn't really that bad. I can see a bigger problem if people are dumb enough to run it with administrator privileges.
Also it should be noted, that by now, Windows isn't too bad in blocking segmentation faults.
Contrary to popular belief, an antivirus doesn't sufficiently protect you against attacks. In fact, it's probably more important to super-regularly patch your software.
Relying on anti-virus software is mostly wrong
in general. They most often give a false sense of security more than anything. The trick is not to let the virus onto the computer, not trying to remove them once they're already there.
Super regularly patching is not a guarantee for security, as Microsoft showed earlier this year.
EDIT: Of course, running Winamp in a VM as the OP did is much preferable over running it on a host directly. I still don't think it's particularly safe.
Well, running that inside a VM is pretty much my only option, as none of my computers run Windows natively. But again, the security comes from monitoring what the software is doing, not from applying patches and trusting the company or person those patches actually close security holes instead of opening them up...
Arguably, the biggest security hole is any browser and the person using it.
That being said, I find some of these attack schemes quite funny (number 19 in the list I've linked above).
These security vulnerabilities are mostly dangerous to people using Winamp for streaming (as in, as streaming source, not for listening), because that might crash the server. But whoever uses Winamp on their streaming servers, kinda deserves getting what they ask for, imo.
Also, I think it's
particularly safe, that I know what I'm doing.
but it seems there are a number of different attack vectors as well (e.g., you can't say you're on the safe side just because you encode all your media files yourself).
It
seems? Can we find something to substantiate this so that it may rise above the level of pedestrian FUD?
It seems? Can we find something to substantiate this so that it may rise above the level of pedestrian FUD?
I just wanted to caution in general. As for the OP, I certainly get the impression he is tech-savvy enough to evaluate the risks on his own.
As for your question: Please google Winamp + CVE. (Some hits will refer you to vulnerabilities not present in 2.x, such as exploits based on the modern skins. But many vulnerabilities in all kinds of areas apply to 2.95. The CVE will usually list the affected versions.)
EDIT - Or see here: http://www.cvedetails.com/vulnerability-se...p;uey=&uem= (http://www.cvedetails.com/vulnerability-search.php?f=1&vendor=&product=winamp&cveid=&cweid=&cvssscoremin=&cvssscoremax=&psy=&psm=&pey=&pem=&usy=&usm=&uey=&uem=)
Why not provide just one concrete example that affects a user who simply plays back files that he has created?
Warning against installing untrusted skins and plugins or streaming are a different issue from what you warned against, which I specifically quoted. As a (former) long-time user of 2.95 for local playback of self-made mp3, Monkey's Audio, flac, TAK and WavPack audio files using official third-party plugins, I'd like to know specifically what insidious things could have happened.
I feel you are being misleading. Being vague doesn't help matters.
Why not provide just one concrete example that affects a user who simply plays back files that he has created?
I feel you are being misleading. Being vague doesn't help matters.
I feel you are being passive-aggressive. I gave you the list to known vulnerabilities. Aren't you capable of going through it yourself?
Warning against installing untrusted skins and plugins or streaming are a different issue from what you warned against, which I specifically quoted.
No, installing skins and such is exactly what I had in mind. What I said and you quoted is:
but it seems there are a number of different attack vectors as well (e.g., you can't say you're on the safe side just because you encode all your media files yourself).
It seems? Can we find something to substantiate this so that it may rise above the level of pedestrian FUD?
It's not sufficient to just encode all your media files yourself. Plugins and skins are risks. Updates are a risk (see CVE-2008-3441). If you use album art, tags, or playlists from the net, that's a risk. Etc.
Obviously, the most serious risk are crafted audio and video files, something I put aside. But really, that's something you can only ignore if you never play downloaded files.
EDIT: To clarify, I don't think Winamp 2.95 is a software targeted by those writing malware. But, it is reasonable to conjecture that it shares vulnerabilities with other software that is being targeted actively (say, other media players such as iTunes or WMP).
What about the part of my post that you ignored?
As a (former) long-time user of 2.95 for local playback of self-made mp3, Monkey's Audio, flac, TAK and WavPack audio files using official third-party plugins, I'd like to know specifically what insidious things could have happened.
...and so that we're clear, I had no other plugins or skins installed and I did not have Windows configured so that it opens Winamp automatically for any reason whatsoever; using a browser will not cause Winamp to launch or load something if it is already running.
It's not sufficient to just encode all your media files yourself. Plugins and skins are risks. Updates are a risk (see CVE-2008-3441). If you use album art, tags, or playlists from the net, that's a risk. Etc.
Breathing air can be a risk. I don't see how this should prohibit me from safely using Winamp to play tracks I've encoded myself.
Seriously, stop and consider that people might interpret things a bit more literally than what you may have intended. Your post I quoted made absolutely no mention of plugins or skins. All you essentially said is that Winamp is not safe even if you encode your own files. If you did intend, then please provide something other than "go look it up for yourself". I did that and called bullshit.
Now we're just trying to identify the location of the goal posts.
I don't see how this should prohibit me from safely using Winamp to play tracks I've encoded my self.
What you say is still wrong. You are not necessarily being safe when you merely play self-encoded tracks. You'd also have to refrain from using JPEGs obtained via the web for artwork, tags written based on info from the web (such as lyrics), etc. The list I linked gives vulnerabilities applying to the things mentioned in the previous sentence.
Considering how easy it is to find a free-as-in-beer alternative to Winamp, why do you continue using it? Do you really encode everything yourself? You don't obtain any music via Bandcamp, iTunes, amazon or other online stores? You don't have any MIDI or whatever files created by someone else? You don't think it's possible that you accidentally open up streams with Winamp?
I'm not claiming the expected damage from using Winamp is huge. But you gotta think about it in a cost-benefit sense. What is the benefit of using it to you? There are so many lightweight media players which are still being actively developed, media players for which vulnerabilities and other bugs are fixed. Many inspired in their GUI by Winamp. I honestly don't see the virtues of that silly piece of legacy software called Winamp.
using JPEGs obtained via the web for artwork
I've never done that.
tags written based on info from the web (such as lyrics)
...that either.
etc.
This is what I meant by being vague earlier, though this time you're making your point.
Do you really encode everything yourself?
I said that I did.
You don't obtain any music via Bandcamp, iTunes, amazon or other online stores?
Correct.
You don't have any MIDI or whatever files created by someone else?
Correct.
You don't think it's possible that you accidentally open up streams with Winamp?
Not only do I think it's not possible, I
know that it never happened or will
ever happen, for that matter.
I honestly don't see the virtues of that silly piece of legacy software called Winamp.
That's fine, but this sounds more than a bit zealous. Regardless, these are things people need to think about when operating a computer
even with regular updates; so I do appreciate your being more specific (with very excellent points, no less) than you were in your initial "be scared; be very scared" post.
Now, I haven't used Winamp in ages. I don't know how it compares to things like Foobar 2k, etc
As far as I know, it still really whips the llama's ass!
I don't see how this should prohibit me from safely using Winamp to play tracks I've encoded my self.
What you say is still wrong. You are not necessarily being safe when you merely play self-encoded tracks. You'd also have to refrain from using JPEGs obtained via the web for artwork, tags written based on info from the web (such as lyrics), etc. The list I linked gives vulnerabilities applying to the things mentioned in the previous sentence.
I've never got artwork from the internet to put it into the metadata of a file, this just seemt too tedious. But even if I did, the confidence level is much higher when you get your artwork from sources like Wikipedia, that from anything dubious. The point is knowing how to use a computer and knowing what you're doing.
When I write tags based on info from the web, I don't see how it can be an issue, when it's plain text. Or did you mean as in pulling the info directly from the internet and writing it into the file? If so, again - it's down to confidence level. Just because there are viruses on the internet, I'm not gonna stop using the internet.
Considering how easy it is to find a free-as-in-beer alternative to Winamp, why do you continue using it? Do you really encode everything yourself? You don't obtain any music via Bandcamp, iTunes, amazon or other online stores? You don't have any MIDI or whatever files created by someone else? You don't think it's possible that you accidentally open up streams with Winamp?
I don't encode everything, but again, it's down to the confidence level. I assume you've read through the list of vulnerabilities, that I've linked in one of my previous posts. You'll see, that the mode of operation is not silently executing code, but mostly crashing, or some sort of other service denial. You have to be really daft not to realize something's wrong.
Do I have midis created by someone else? No, not at this moment, but I used to. The thing is, again, I know what kind of sources I've used. I know I'd notice something's not right.
Opening streams
by accident? That asserts quite a clumsy use of either usage or understanding risks of online phishing and fraud.
I'm used to using consoles, I never have things opening automatically by clicking on links or other control widgets on websites. I expect browser interaction when clicking around pages (which may include download), but not handing over the click event over to another application, let alon starting it.
I'm not claiming the expected damage from using Winamp is huge. But you gotta think about it in a cost-benefit sense. What is the benefit of using it to you? There are so many lightweight media players which are still being actively developed, media players for which vulnerabilities and other bugs are fixed. Many inspired in their GUI by Winamp. I honestly don't see the virtues of that silly piece of legacy software called Winamp.
Cost benefit is not entirely applicable here. People do things out of habit and tradition, which makes no sense in any other value permeated universe.
You seem to have an awful lot of trust that patches and upgrades will actually "help". I'm at least about as cautious about updates and as the original software that did its job fine up until now. Thing like the SSL initialization bug from OpenSSL a few years back and the recent Microsoft mishap, were entirely
introduced through patches and updates, that were supposed to close security holes.
I think it's much more important not to blindly put your trust into a company's updates. They can screw up big time, and sometimes the damage is not even reversible.
For those who wish to use Winamp v2.95, the developers recommend a modified installation of the latest version; v5.666 build 3516.
http://forums.winamp.com/showpost.php?p=29...amp;postcount=2 (http://forums.winamp.com/showpost.php?p=2984799&postcount=2)
The installer makes it easy to install only the parts that are desired, presumably to mimic the legacy version.
It has been reported that Radionomy will release a new Winamp version in 2016.
http://forums.winamp.com/showpost.php?p=30...;postcount=1016 (http://forums.winamp.com/showpost.php?p=3028376&postcount=1016)