Internet users are at risk from a previously undiscovered flaw in the popular WinAmp media player, which attackers are actively using to spread malicious code on Windows desktops, according to security researchers.

A problem in the way WinAmp handles "skins" - used to customise the appearance of the application - means attackers can use a specially-crafted skin file to execute code on any PC with WinAmp installed. In Internet Explorer, users merely need to visit a malicious Web site for the code to be automatically downloaded and executed, according to an advisory by French security firm K-Otik.

While not as widely used as Windows Media Player or RealPlayer, WinAmp has an installed base of several million, including on corporate desktops, according to the company. The vulnerability has been confirmed on a fully-patched Windows system with WinAmp 5.04 using Internet Explorer 6.0 on Microsoft Windows XP SP1, said Danish security firm Secunia in its own warning.

Version 5.04 is a month old, having been released on 28 July. Earlier versions of WinAmp 5.x and 3.x are also vulnerable, K-Otik said.

The bug is particularly dangerous because it is already being exploited before the software vendor has had a chance to patch, making it what is known as a "zero-day" exploit. In June, organised criminals managed to spread malicious code to many Windows desktops via zero-day flaws in Microsoft's Internet Information Services (IIS) server and Internet Explorer browser, in an attempt to steal financial information from users of banking sites, security experts said.

K-Otik said it has been receiving reports of exploits in the wild since late July, but initially thought the problem was in Internet Explorer. "This exploit has been used in compromising machines via IRC (Internet Relay Chat) channels (spreading links to) malicious Web sites, which installed trojans and spyware," K-Otik said.

However, an exploit could be carried out via any method of luring users to a Web address, the company said. Exploitation is carried out through a Web page pointing to a malicious skin file (.wsz or .wal) which, once automatically downloaded, launches an XML document capable of executing programs in Windows' "local computer zone", bypassing the greater security restrictions on the "Internet zone".

America Online has said it is aware of the bug, but has not yet released a fix. In the absence of a patch, Secunia and K-Otik both recommended switching to another product.