Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Critical security vulnerability in WinZip 10 - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Critical security vulnerability in WinZip 10
WinZip Computing released a new build of WinZip 10 that fixes a critical security vulnerability in this popular ZIP program.

The vulnerability exists in an ActiveX component that is shipped with WinZip 10 only (so if you are running previous versions of WinZip you are not affected by this vulnerability). This ActiveX component is marked safe for scripting which means that a remote attacker can exploit it if you visit a web page hosting the exploit.

Build 7245 of WinZip 10 is available at http://www.winzip.com/wz7245.htm. If you, for some reason, can not upgrade, you should disable the affected ActiveX control (WZFILEVIEW.FileViewCtrl.61) ? its CLSID is A09AE68F-B14D-43ED-B713-BA413F034904.

I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Riyadh April 2019

Bojan

376 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!