Upgrade your WinZip for security's sake
eWeek is reporting that a vulnerability has been discovered in versions of the WinZip utility installed on millions of Windows workstations. The vulnerability affects versions 7 and 8 and all versions of the 9.0 beta release. The official 9.0 release, which I've written about here is not affected. So, one more good reason to upgrade if you use this essential tool.
Vulnerability in WinZip Could Compromise Security
February 27, 2004
By Larry Seltzer
Security analysts on Friday reported that versions of the popular ZIP file management program WinZip have a serious security flaw.
According to security intelligence firm iDefense Inc., an error in the parameter parsing code in these versions "allows remote attackers to execute arbitrary code."
The attacker would have to construct a specially designed MIME archive (with one of .mim, .uue, .uu, .b64, .bhx, .hqx and .xxe extensions) and distribute the file users, the company explained.
Once opened, the attack would trick WinZip into executing code contained in the attacking file. iDefense said it had a functioning proof-of-concept attack demonstrating the problem.
The malicious file could be distributed by e-mail, on a Web page, or through peer-to-peer networks.
Files handled by WinZip are not normally executable, so many users are less-hesitant to launch them, even when they come from unknown sources. This problem makes those files much more inherently dangerous.
According to iDefense, versions 7 and 8, as well as the latest beta of WinZip 9 are vulnerable to this attack. However, the released Version 9 of WinZip is not vulnerable.
In addition to upgrading, users can prevent an attack by turning off automatic handling of these file types by WinZip in Windows Explorer. In Windows XP, choose Tools-Folder Options, select the File Types tab, scroll down to the appropriate file types, and either delete them or reassign file handling to another program.
Meanwhile, security experts advised users to be suspicious of these file types, as they are not widely used.