Security Hole : Winzip follows the fashion
Results 1 to 7 of 7

Thread: Security Hole : Winzip follows the fashion

  1. #1
    AO French Antique News Whore
    Join Date
    Aug 2001

    Security Hole : Winzip follows the fashion

    WinZip 9.0 Fixes a Security Issue with MIME-Encoded Files

    WinZip 9.0, released in February 2004, contains a fix for a recently-discovered security vulnerability affecting earlier versions of WinZip. The vulnerability does not affect .ZIP files. Instead, it affects the MIME-encoded files that WinZip is also able to work with.

    Q: What is the vulnerability that is fixed in WinZip 9.0?
    A: The problem involves a buffer overflow that can be triggered by invalid data in a MIME-encoded file, with one of the extensions listed below, that is opened by earlier versions of WinZip.
    An attacker could attempt to use this buffer overflow to create a file that would execute malicious code of their choice when the file was opened by an earlier version of WinZip. The attacker would have to give the file one of the affected extensions, and would then have to trick you into opening the file, for example by sending it to you as an e-mail attachment.

    Q: What types of files are affected?
    A: Files with the following extensions, which are by default associated with WinZip and which are used in connection with MIME-encoded data, are affected: .MIM, .UUE, .UU, .B64, .BHX, .HQX, and .XXE.
    Other filetypes associated with WinZip, such as .ZIP, .TAR, and .CAB, are not affected.

    Any file whose extension begins with the letters .UU could also be affected, although with the exception of the .UU and .UUE extensions, these files would not normally be associated with WinZip and are therefore not likely to be opened by WinZip.

    Merely including files with one of the affected extensions within a ZIP archive, or extracting files with these extensions from a ZIP archive, will not cause a problem. Instead, an invalid file with one of these extensions must be directly opened by WinZip; this would normally happen only if you double-click on an invalid file having an extension of .MIM, .B64, .BHX, .HQX, .XXE, .UU, or .UUE.

    Q: Should I upgrade to WinZip 9.0?

    A: We recommend that all WinZip users upgrade to WinZip 9.0, which includes a fix for the problem.
    All registered users of earlier English language versions of WinZip are eligible to download a FREE upgrade to WinZip 9.0.

    Q: What older versions of WinZip are affected?
    A: This issue affects all earlier versions of WinZip since WinZip 6.2, including WinZip 8.1 and WinZip 8.1 SR-1. Beta test versions of WinZip 9.0 should also be upgraded. The first version of WinZip in which the problem is corrected is WinZip 9.0, released in February, 2004.

    Q: If I continue to use an earlier version of WinZip, are there any steps I can take to protect myself from this problem?
    A: While we recommend that all WinZip users upgrade to WinZip 9.0, there are two steps that could be taken on systems that continue to use older versions of WinZip:
    The most likely way for you to receive an infected file would be as an e-mail attachment. So you should be extremely wary about opening e-mail attachments with any of the affected extensions that come from an untrusted source or that you are not expecting. Of course, you should exercise similar caution with any unexpected e-mail attachment, regardless of its extension. Other possible ways that an infected file could be propagated could be via links at a malicious web site, or via P2P file-sharing software.

    WinZip is normally associated with several MIME-related filetypes, and double-clicking on files with these extensions will normally invoke WinZip. By removing WinZip's association with these file types, you can avoid the possibility of double-clicking on an infected file and triggering a problem.
    To remove the associations, open your copy of WinZip and select Configuration from the Options menu. From the Configuration dialog box, click on the System tab and then on the Associations... button. You will see a list of the filetypes that WinZip is associated with - uncheck the boxes next to the .B64, .BHX, .HQX, .MIM, .UUE, .UU, and .XXE filetypes, and then click OK.
    Source :
    iDEFENSE Vulnerabilities Bulletin
    -Simon \"SDK\"

  2. #2
    Join Date
    Feb 2004
    Ahh yes, precedded by hundreds of Microsux Security Holes, just one more to add to my list. *sigh*

  3. #3
    Senior Member Info Tech Geek's Avatar
    Join Date
    Jan 2003
    Vernon, CT
    I have been using WinRAR and I have found just recently that a lot of the files I have been receiving are also in .rar format. When did this trend start?

  4. #4
    AO French Antique News Whore
    Join Date
    Aug 2001
    Winrar 3.30 is a lot slower to encode file that Winzip in the zip format. PM if you want the article.
    -Simon \"SDK\"

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002

    Thank you for your glittering input...... I was dazzled by your depth of knowledge.... incredible....

    For your next project please _secure_ a windows server..... It's easier than you think......

    Then come back and dazzle us again..... I'll be fascinated by your findings......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington

    Please have a look at Scrip Trap, AnalogX "Script Defender" and MobiousWare's MoOutlook Security.

    The last product is particularly interesting as it addresses the WinZip weakness that I noticed back in the days of Win3.1x (sometimes being old has its advantages ...........I think?...)

    If someone will deliberately download a file, save it to a local drive, then run fire them...............end of story?

    Please do not take such a negative view on life.........after all, that is not what we are paid for?, and there ARE solutions if you are prepared to either research or invent them?

    BTW.......try my security tutorials then have a look at the "tools" sticky thread in miscellaneous security discussions..........check out some of the stuff suggested ain't all that bad......................honest


  7. #7
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Yes when microsoft comes out with a fix for Social engineering and stupidity.. I will use their products..
    hmmm toot toot toot..

    I hate windows because it is unstable, you need to restart for almost any reason, it crashes just because a gnat farted nearby.. I will not touch another Misrocoft product untill they fix Windows 2.1
    I realy hate Bill Gates.. Its because of him my wife left me and left me all the bills, the car died, the dog's sick. the boss sacked me.. weather is bad.. the dog bit me.. me computer's hdd died, yep its that bastard bill gates he did it
    give me a minute and I will pick on Linus torvalds as well, gotta balance this out

    that would be the dopiest comments I ever repeated (and jeez I can't spell..)

    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts