Quantcast
Subscribe to magazine

WinZip Warns of Security Flaws

Users of the popular compression tool should upgrade their software, company says.

Matthew Broersma, Techworld.com

  • 0 Yes
  • 0 No

Windows clients running the popular WinZip application are at risk from a number of critical security flaws, according to WinZip Computing and security researchers.

The compression/decompression tool is one of the most widely used pieces of software on the Windows platform.

WinZip versions 3.x, 6.x, 7.x, 8.x, and 9.x contain vulnerabilities that could allow an attacker to execute malicious code on a Windows PC, the vendor warns. In an advisory this week, Danish security firm Secunia gives the bugs a "highly critical" rating, the fourth-highest out of its five severity levels.

While no exploits are known to be circulating, the wide deployment of WinZip makes the vulnerabilities important to patch immediately, WinZip says. Users of older WinZip versions must upgrade to version 9.x in order to get the fix, which is contained in WinZip 9.0 Service Release 1 (SR1). "WinZip Computing recommends that all WinZip users upgrade to WinZip 9.0 SR1 to avoid the possibility of future exploitation of these vulnerabilities," the company says.

Few Details Available

The company disclosed few details about the vulnerabilities, which it says were detected in the course of internal review and testing. Previous versions of WinZip contain potential buffer overflows which could allow an attacker to execute malicious code, according to WinZip and Secunia.

In addition, the update fixes a security hole reported to WinZip by an undisclosed user, which could allow an attacker to take over a system by sending a specially-crafted invalid input at the WinZip command line. The command line bug could probably only be exploited on a system whose security had already been compromised in some other way, the company says.

"As of the release of WinZip 9.0 SR1, WinZip Computing was not aware that any of these vulnerabilities had been publicly described or exploited," the company says.

Taking its cue from Microsoft's security-oriented Windows XP Service Pack 2, the WinZip update adds warning messages in situations where the user could be in danger of launching a virus, such as when a user double-clicks on a .exe file compressed within a Zip file.

Late last month, security experts warned of a serious flaw in WinAmp, another popular Windows client application. In that case, however, the bug was discovered only after attackers began using it to execute malicious code on users' desktops.

  • Recommend this story?
  • 0 Yes
    0 No

Print 65% more pages than with refilled inks. Trust Original HP Inks. Hit Print Reliably.

Featured APC Accessories For Your System
10% Off Entire Cart at Online Store

  • APC Back-UPS ES Safeguards your equipment from damaging surges and spikes that travel along your utility & data lines.
  • APC SurgeArrest Performance Highest level of protection for your professional computers, electronics and connected devices, as well as provides surge protection.

People who read this also read:

  • 2007 Microsoft Office Suites Comparison This paper compares and contrasts four suites of the 2007 Microsoft Office system: Microsoft Office Standard 2007, Microsoft Office Professional Plus 2007, Microsoft Office Enterprise 2007 and Microsoft Office Ultimate 2007. This paper is intended to help organizations understand the applications and capabilities offered, and to identify the suite that best fits their needs.
  • Windows Vista Migration: The Business Proposition It's not so much a matter of "if" but "when" for most organizations regarding migration to Windows Vista. Laying the groundwork now for this migration can yield higher ROI than waiting until later. This Computerworld Technology Briefing explains it all.

PC World's Marketplace