Results 1 to 2 of 2

Thread: **Heads Up** WinZip Users

  1. #1
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197

    **Heads Up** WinZip Users

    Even though this isn't particularly specific in it's synopsis I think that there are enough WinZip users out there to warrant a heads up....

    I got this through BugTraq this morning:-

    Date: Wed, 1 Sep 2004 07:31:24 -0400
    Subject: http://www.winzip.com/wz90sr1.htm

    WinZip reported discovering some vulnerabilities, including potential buffer overflows, during an internal review of the WinZip code. In addition, a WinZip user discovered a buffer overflow, where a local user can supply a specially crafted WinZip command line to trigger the overflow.

    A fix (9.0 SR-1) is available at:

    http://www.winzip.com/upgrade.htm

    ------------------------------------------

    I don't have more informations.
    You can just check
    http://www.securitytracker.com/alert...p/1011132.html
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #2
    Senior Member OverdueSpy's Avatar
    Join Date
    Nov 2002
    Posts
    556
    A little more info. From TruSecure.

    Vulnerability Description:
    WinZip 9.0 and prior contains multiple security issues that may allow a remote attacker to cause a buffer overflow and possibly execute arbitrary code.
    The first issue is due to improper validation of command line arguments. A local attacker could submit a specially crafted command line argument to overflow a buffer and possibly execute arbitrary code.
    The second issue is due to a remotely exploitable buffer. It is currently unknown how an attacker can exploit this issue to overflow the buffer and what impact it would have on the affected system.

    Impact:
    The impact of this issue is currently unknown. It is likely that a successful exploit would lead to denial of service conditions or arbitrary code execution.

    Safeguards:
    Administrators are advised to apply the patch provided by WinZip.
    Users are advised to not open archives from untrusted sources.
    Administrators are advised to restrict local access to trusted users.

    Product Sets:
    The security vulnerability applies to the following combinations of products.
    Primary Products:WinZip Computing, Inc. WinZip 6.2 | 7.0 | 8.0 | 8.1 Base, SR1 | 9.0
    The mentally handicaped are persecuted in this great country, and I say rightfully so! These people are NUTS!!!!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •