RealTime IT News

WinZip Zaps Buffer Overflow Flaws

A pair of security holes in the popular WinZip file compression program could put users at risk of buffer overflow attacks, the company warned Thursday.

WinZip Computing, which markets the Windows utility used to zip and unzip files for storage and archiving, released version 9.0 Service Release 1 (SR-1) to correct the flaws and warned that attackers could launch buffer overflow attacks to hijack vulnerable systems.

"As of the release of WinZip 9.0 SR-1, WinZip Computing was not aware that any of these vulnerabilities had been publicly described or exploited," the company said in an advisory posted on its home page.

The company has also modified the way the program works to display caution messages in some situations, such as when a user double-clicks on an .EXE file compressed within a Zip file. WinZip will now issue a warning that a file type could potentially contain a virus. "WinZip users who frequently need to work with the file types involved can easily turn the caution messages off," the company said.

Security alert clearinghouse Secunia rates the vulnerabilities as "highly critical" and recommended that users upgrade to WinZip 9.0.

The company has also added support for 128- and 256-bit key AES encryption, which provides more cryptographic security than the traditional Zip 2.0 encryption method used in earlier WinZip versions.