silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,163
The server-client communication in certain versions of the WinZip file compression tool is insecure and could be modified to serve malware or fraudulent content to users.
WinZip is currently at version 25 but earlier releases check the server for updates over an unencrypted connection, a weakness that could be exploited by a malicious actor.
Martin Rakhmanov of Trustwave SpiderLabs The researcher captured the traffic from a vulnerable version of the tool to show that the unencrypted communication.
With the release of WinZip 25, cleartext communication no longer occurs. Users are advised to upgrade to the latest version of the application.
Many users may not jump at getting the current release, though, because upgrades are paid. The standard WinZip costs $35.64 and the Pro edition is $59.44.
If upgrading the software is not an option, users are advised to disable update checks. This will stop the client from querying the WinZip server for the availability of a new version.
Hackers can use WinZip insecure server connection to drop malware
The server-client communication in certain versions of the WinZip file compression tool is insecure and could be modified to serve malware or fraudulent content to users.
www.bleepingcomputer.com