WinZip Launches ‘Build 7245’ to Fix Flaw
Windows' 'compression software' WinZip holds an 'ActiveX module' in version 10 during its installation in the system. Unluckily, the module has a security hole. When a surfer visits a specially crafted website, it compromises his computer.
Danish vulnerability detector Secunia posted a warning on November 15, 2006 confirming a "highly critical" flaw within the 'FileView ActiveX control' that WinZip summons. The flaw can lead to a malicious website that exploits the vulnerability and compromises the PC. This enables a hacker to install badware such as a backdoor Trojan or spyware on the computer.
At the time of installing 'ActiveX control', it is labeled as " safe for scripting", which commands Internet Explorer to use it as per requirement when a website requests so. In addition, exploiting a 'boundary error' in the 'FileView ActiveX control' included in the "File pattern" property generates a 'buffer overflow'.
WinZip has issued another version (build 7245) after version 10 that fixes the vulnerability. The new version is available and downloadable from WinZip Website. Earlier editions of the utility like WinZip 9 remain unaffected by the bug.
As per the announcement, there are no known exploits. Yet Secunia strongly recommends WinZip 10.0 users to upgrade to 'build 7245'. This is necessary because of the vulnerability's critical nature. Registered users of 'WinZip 10.0 Standard' and 'Pro' can download 'WinZip 10.0 build 7245' free of charge. Earlier versions of WinZip are undisturbed by this flaw.
In a favorable coincidence, 'WinZip Computing Unit' has lately upgraded its pronounced 'WinZip compression utility' to version 11.0. By adding 'thumbnail images' to this, users can visit sites before taking digital photos, as well as help the use of RAR file format.
The relatively expensive and expansive 'Pro' version is bundled up with the enrichment to the utility's wizard. For the user it functions during the process of data compression. For e.g., WinZip 11.0 will automatically e-mail a Zip archive that it creates.
With this, software users now do not have to select specific compression methods while compressing data. They can just choose "best compression" method, which adjusts with the nature of the file.
» SPAMfighter News - 21-11-2006