WinZip 9.0 Fixes a Security Issue with MIME-Encoded Files

WinZip 9.0, released in February 2004, contains a fix for a recently-discovered security vulnerability affecting earlier versions of WinZip. The vulnerability does not affect .ZIP files. Instead, it affects the MIME-encoded files that WinZip is also able to work with.

Q: What is the vulnerability that is fixed in WinZip 9.0?
A: The problem involves a buffer overflow that can be triggered by invalid data in a MIME-encoded file, with one of the extensions listed below, that is opened by earlier versions of WinZip.
An attacker could attempt to use this buffer overflow to create a file that would execute malicious code of their choice when the file was opened by an earlier version of WinZip. The attacker would have to give the file one of the affected extensions, and would then have to trick you into opening the file, for example by sending it to you as an e-mail attachment.


Q: What types of files are affected?
A: Files with the following extensions, which are by default associated with WinZip and which are used in connection with MIME-encoded data, are affected: .MIM, .UUE, .UU, .B64, .BHX, .HQX, and .XXE.
Other filetypes associated with WinZip, such as .ZIP, .TAR, and .CAB, are not affected.

Any file whose extension begins with the letters .UU could also be affected, although with the exception of the .UU and .UUE extensions, these files would not normally be associated with WinZip and are therefore not likely to be opened by WinZip.

Merely including files with one of the affected extensions within a ZIP archive, or extracting files with these extensions from a ZIP archive, will not cause a problem. Instead, an invalid file with one of these extensions must be directly opened by WinZip; this would normally happen only if you double-click on an invalid file having an extension of .MIM, .B64, .BHX, .HQX, .XXE, .UU, or .UUE.


Q: Should I upgrade to WinZip 9.0?

A: We recommend that all WinZip users upgrade to WinZip 9.0, which includes a fix for the problem.
All registered users of earlier English language versions of WinZip are eligible to download a FREE upgrade to WinZip 9.0.


Q: What older versions of WinZip are affected?
A: This issue affects all earlier versions of WinZip since WinZip 6.2, including WinZip 8.1 and WinZip 8.1 SR-1. Beta test versions of WinZip 9.0 should also be upgraded. The first version of WinZip in which the problem is corrected is WinZip 9.0, released in February, 2004.


Q: If I continue to use an earlier version of WinZip, are there any steps I can take to protect myself from this problem?
A: While we recommend that all WinZip users upgrade to WinZip 9.0, there are two steps that could be taken on systems that continue to use older versions of WinZip:
The most likely way for you to receive an infected file would be as an e-mail attachment. So you should be extremely wary about opening e-mail attachments with any of the affected extensions that come from an untrusted source or that you are not expecting. Of course, you should exercise similar caution with any unexpected e-mail attachment, regardless of its extension. Other possible ways that an infected file could be propagated could be via links at a malicious web site, or via P2P file-sharing software.

WinZip is normally associated with several MIME-related filetypes, and double-clicking on files with these extensions will normally invoke WinZip. By removing WinZip's association with these file types, you can avoid the possibility of double-clicking on an infected file and triggering a problem.
To remove the associations, open your copy of WinZip and select Configuration from the Options menu. From the Configuration dialog box, click on the System tab and then on the Associations... button. You will see a list of the filetypes that WinZip is associated with - uncheck the boxes next to the .B64, .BHX, .HQX, .MIM, .UUE, .UU, and .XXE filetypes, and then click OK.
Source : http://www.winzip.com/fmwz90.htm
iDEFENSE Vulnerabilities Bulletin