Insecure Communication in WinZip
WinZip is a popular tool for managing zip files in Windows and Android. Used extensively for archiving and unpacking the zip files, old versions of this tool follow an insecure path while communicating with its server for updates. This is reported by Martin Rakhmanov of Trustwave SpiderLabs, who demonstrated by scrapping the traffic between a vulnerable WinZip version to its server, which displayed important details to be hijacked. He claimed this insecure path could be hijacked and manipulated for many exploitations.
One of the common risks associated with these types of communications is DNS poisoning – where an attacker captures the traffic and trick the application to obtain fake files when it’s looking for an intended update. He needs to direct the application to a wrong path, where he set the malicious file to be retrieved. Thus, he warned this could be used to execute an arbitrary code if an unsuspecting user clicks and installs the malicious file received. This happens with all the older versions of WinZip, where Rakhmanov could get the username and the registration code in case the user is registered. This clear text communication was patched in WinZip version 25, which is released as the latest. Users are advised to upgrade to the latest version; if they decide to skip because it’s a laid form, they can disable update checks that stop the application to communicate with the server for updates.