Vulnerability in WinZip Could Compromise Security

Security experts reported Friday that older versions of the popular Windows file-compression program have a buffer-overflow vulnerability that an attacker could use to compromise a system.

Security analysts on Friday reported that versions of the popular ZIP file management program WinZip have a serious security flaw.

According to security intelligence firm iDefense Inc., an error in the parameter parsing code in these versions "allows remote attackers to execute arbitrary code."

The attacker would have to construct a specially designed MIME archive (with one of .mim, .uue, .uu, .b64, .bhx, .hqx and .xxe extensions) and distribute the file to users, the company explained.

Once opened, the attack would trick WinZip into executing code contained in the attacking file. iDefense said it had a functioning proof-of-concept attack demonstrating the problem.

The malicious file could be distributed by e-mail, on a Web page, or through peer-to-peer networks.

Files handled by WinZip are not normally executable, so many users are less-hesitant to launch them, even when they come from unknown sources. This problem makes those files much more inherently dangerous.

According to iDefense, versions 7 and 8, as well as the latest beta of WinZip 9 are vulnerable to this attack. However, the released Version 9 of WinZip is not vulnerable.

In addition to upgrading, users can prevent an attack by turning off automatic handling of these file types by WinZip in Windows Explorer. In Windows XP, choose Tools-Folder Options, select the File Types tab, scroll down to the appropriate file types, and either delete them or reassign file handling to another program.

Meanwhile, security experts advised users to be suspicious of these file types, as they are not widely used.

/zimages/1/28571.gifCheck out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.