Hackers Can Use WinZip Insecure Server Connection To Drop Malware
The server-client communication in certain versions of the WinZip file compression tool is insecure and could be modified to serve malware or fraudulent content to users.
WinZip has been a long-standing utility for Windows users with file archiving needs beyond the support built in the operating system.
Initially released almost 30 years ago, the tool now has versions for macOS, Android, and iOS, as well as an enterprise edition that adds collaboration features. According to its website, the application has more than one billion downloads.
Clear-text traffic
WinZip is currently at version 25 but earlier releases check the server for updates over an unencrypted connection, a weakness that could be exploited by a malicious actor.
Also Read: Going Beyond DPO Meaning: Ever Heard of Outsourced DPO?
Martin Rakhmanov of Trustwave SpiderLabs captured the traffic from a vulnerable version of the tool to show that unencrypted communication.
Given the insecure nature of the communication channel, Rakhmanov says that the traffic can be “grabbed, manipulated, or hijacked” by an attacker on the same network as the WinZip user.
One risk stemming from this action is DNS poisoning, which tricks the application into retrieving a fake update from a malicious web server.
“As a result, unsuspecting user can launch arbitrary code as if it is a valid update,” Rakhmanov notes in a blog post today.
On registered versions of WinZip that are vulnerable, the attacker could also obtain potentially sensitive information such as the username and the registration code.
Rakhmanov says that cleartext communication is also used for showing pop-ups informing users with a free trial version of WinZip how much time they have left for testing.
The content in the popup is HTML that retrieves JavaScript. This allows an attacker on the network to expose users to arbitrary content that appears to come directly from WinZip servers.
The researcher says that this scenario also comes with the risk of executing arbitrary code on the victim’s machine because WinZip offers some “powerful” APIs to the JavaScript.
Also Read: 5 Common Sections in an Agreement Form Example
With the release of WinZip 25, cleartext communication no longer occurs. Users are advised to upgrade to the latest version of the application.
Many users may not jump at getting the current release, though, because upgrades are paid. The standard WinZip costs $35.64 and the Pro edition is $59.44.
If upgrading the software is not an option, users are advised to disable update checks. This will stop the client from querying the WinZip server for the availability of a new version.
0 Comments