WinZip Warns of Security Flaws

Dom · Sep 2, 2004, 09:33 PM

Windows clients running the popular WinZip application are at risk from a number of critical security flaws, according to WinZip Computing and security researchers.

The compression/decompression tool is one of the most widely used pieces of software on the Windows platform.

WinZip versions 3.x, 6.x, 7.x, 8.x, and 9.x contain vulnerabilities that could allow an attacker to execute malicious code on a Windows PC, the vendor warns. In an advisory this week, Danish security firm Secunia gives the bugs a "highly critical" rating, the fourth-highest out of its five severity levels.

While no exploits are known to be circulating, the wide deployment of WinZip makes the vulnerabilities important to patch immediately, WinZip says. Users of older WinZip versions must upgrade to version 9.x in order to get the fix, which is contained in WinZip 9.0 Service Release 1 (SR1). "WinZip Computing recommends that all WinZip users upgrade to WinZip 9.0 SR1 to avoid the possibility of future exploitation of these vulnerabilities," the company says.

Read More...

______________________
Source: PCWorld

Chubby_C · Sep 3, 2004, 02:04 AM

Its pretty bad when compression utilities even pose security risks.
Although I haven't used winzip in quite a few years, I stick with winrar.
Not too sure, but I don't think I'm alone in this either.

Matth · Sep 3, 2004, 06:35 PM

The question is, is this peculiar to Winzip, or do they use the same libraries as other programs for the Zip/Unzip function ?

If the vulnerability is also present in the generic "Info-Zip" libraries that many others use, this could be major - on the other hand, if this is specific to Winzip, and they don't make a free upgrade available for older versions, then it's time to explore the many free programs that are as good or better.

OMG! - Surely it isn't THIS http://www.gzip.org/zlib/advisory-2002-03-11.txt

PangingJr · Sep 3, 2004, 07:08 PM

Vulnerability in WinZip Could Compromise Security - http://www.eweek.com/article2/0,4149,1540280,00.asp

Quote:

The attacker would have to construct a specially designed MIME archive (with one of .mim, .uue, .uu, .b64, .bhx, .hqx and .xxe extensions) and distribute the file to users,

Quote:

According to iDefense, versions 7 and 8, as well as the latest beta of WinZip 9 are vulnerable to this attack. However, the released Version 9 of WinZip is not vulnerable.

In addition to upgrading, users can prevent an attack by turning off automatic handling of these file types by WinZip in Windows Explorer. In Windows XP, choose Tools-Folder Options, select the File Types tab, scroll down to the appropriate file types, and either delete them or reassign file handling to another program.

Sep 2, 2004, 09:33 PM	#1
Dom DriverHeaven Extreme Member Join Date: Jun 2002 Posts: 12,940 Rep Power: 0	WinZip Warns of Security Flaws Windows clients running the popular WinZip application are at risk from a number of critical security flaws, according to WinZip Computing and security researchers. The compression/decompression tool is one of the most widely used pieces of software on the Windows platform. WinZip versions 3.x, 6.x, 7.x, 8.x, and 9.x contain vulnerabilities that could allow an attacker to execute malicious code on a Windows PC, the vendor warns. In an advisory this week, Danish security firm Secunia gives the bugs a "highly critical" rating, the fourth-highest out of its five severity levels. While no exploits are known to be circulating, the wide deployment of WinZip makes the vulnerabilities important to patch immediately, WinZip says. Users of older WinZip versions must upgrade to version 9.x in order to get the fix, which is contained in WinZip 9.0 Service Release 1 (SR1). "WinZip Computing recommends that all WinZip users upgrade to WinZip 9.0 SR1 to avoid the possibility of future exploitation of these vulnerabilities," the company says. Read More... ______________________ Source: PCWorld

Sep 3, 2004, 06:35 PM	#3
Matth Flash Banner Hater Join Date: Jun 2002 Location: UK Posts: 3,426 Rep Power: 93 System Specs	The question is, is this peculiar to Winzip, or do they use the same libraries as other programs for the Zip/Unzip function ? If the vulnerability is also present in the generic "Info-Zip" libraries that many others use, this could be major - on the other hand, if this is specific to Winzip, and they don't make a free upgrade available for older versions, then it's time to explore the many free programs that are as good or better. OMG! - Surely it isn't THIS http://www.gzip.org/zlib/advisory-2002-03-11.txt Last edited by Matth; Sep 3, 2004 at 06:49 PM.

Sep 3, 2004, 02:04 AM	#2
Chubby_C Working away at ATI Join Date: Apr 2004 Location: Ontario, Canada Posts: 251 Rep Power: 0	Its pretty bad when compression utilities even pose security risks. Although I haven't used winzip in quite a few years, I stick with winrar. Not too sure, but I don't think I'm alone in this either.