A pair of security holes in the popular WinZip file compression
program could put users at risk of buffer overflow attacks, the company
warned Thursday.
WinZip Computing, which markets the Windows utility used to zip and
unzip files for storage and archiving, released version 9.0 Service
Release 1 (SR-1) to correct the flaws and warned that attackers could
launch buffer overflow attacks to hijack vulnerable systems.
“As of the release of WinZip 9.0 SR-1, WinZip Computing was not aware
that any of these vulnerabilities had been publicly described or
exploited,” the company said in an advisory posted on its home
page.
The company has also modified the way the program works to display
caution messages in some situations, such as when a user double-clicks
on an .EXE file compressed within a Zip file. WinZip will now issue a
warning that a file type could potentially contain a virus. “WinZip
users who frequently need to work with the file types involved can
easily turn the caution messages off,” the company said.
Security alert clearinghouse Secunia rates the vulnerabilities as
“highly critical” and recommended that users upgrade to WinZip 9.0.
The company has also added support for 128- and 256-bit key AES
encryption, which provides more cryptographic security than the
traditional Zip 2.0 encryption method used in earlier WinZip versions.
