I get back and you know what hits the fan. Third day back and low and behold, a security vulnerability is discovered within Winamp. To top it off, the security firm which discovered the exploit didn't warn us in advance, leaving millions of Winamp players vulnerable without a fix.
The exploit was accomplished by using Winamp as a Trojan horse for a vulnerability in Internet Explorer. Basically, someone could write a Winamp skin that uses the Browser function of the engine to create a browser window within the Skin. They then basically use this browser window to launch an executable application bundled within the Skin. To make things worse, Winamp installs and launches a skin without any confirmation.
Unfortunately, there was already someone using this exploit to spread a worm. These clever buggers created a specifically crafted web page URL that looks like an image. When the user goes to it, it really just installs this malicious skin that installs some application onto the users machine. If the user happens to be on IRC with mIRC at the moment, it then sends a message to everyone in the channel with the URL of the Trojan image.
Today, we released Winamp 5.05 that patched this exploit and added an additional layer of security around skins.
What a nightmare.