Earlier this month, some flaws were discovered in the popular WinZip. One of the buffer overflows could be misused by remote or local users who can create a specially crafted command line to have arbitrary code executed. Some other buffer overflow possibilities were also discovered by the programmers of WinZip while reviewing their own code. All these security flaws have been fixed in the new release Version 9.0-SR1.

Also, a very important change with this new release is that WinZip will now issue caution messages, when the user double-clicks e.g. on a .EXE-file within the compressed archive. WinZip will now tell the user that this type of file could potentially contain a virus and asks if the user wants to continue. Accidental execution is therefore not possible anymore.

Affected are all versions prior to Version 9.0-SR1. WinZip has released an upgrade solving these issues. Norman advises WinZip users to visit http://www.winzip.com/upgrade.htm to download and install the latest version of WinZip. Those users also using WinZip from the command-line should visit http://www.winzip.com/wzcl11sr1.htm to upgrade the Command Line Support Add-On.

Righard J. Zwienenberg