![]() So, users can simply upgrade their systems to WinZip 25. With this version, the vendors have applied the secure HTTPS to communicate data. Upon detecting this problem, Trustwave responsibly disclosed the vulnerability to the developers who then patched the flaw with the release of WinZip 25. ![]() ![]() It means a large number of users would potentially be running the vulnerable version on their devices. Patch Available With WinZip 25 And AboveĪccording to Trustwave, the vulnerability affected all WinZip versions until WinZip 24. Since this is over an unencrypted channel this information is fully visible to the attacker. The application sends out potentially sensitive information like the registered username, registration code and some other information in query string as a part of the update request. Since the content of these popups is HTML with JavaScript that is also retrieved via HTTP, it makes manipulation of that content easy for a network adjacent attacker.Įxploiting the same vulnerability would also allow the adversary to log steal sensitive data from the traffic. WinZip 24 opens pop-up windows time to time when running in Trial mode. Eventually, the user would never know when a malicious WinZip version would get installed on the device. ![]() Thus, it became possible for an adversary to intercept the traffic, meddle with the Trial popup, and include a malicious WinZip version in between. The researchers found that WinZip communicates this information over the unsecured HTTP connection. For this, it periodically checks the users’ software status and displays prompts upon detecting trial expiration. After the trial period expires, it requires the user to buy a license to continue using the tool to its fullest. WinZip is a free-to-download software for trial users only. Researchers from Trustwave have reported a serious security vulnerability affecting the WinZip Trial popup.Īs elaborated in a blog post, the vulnerability existed because of the way WinZip communicated with its servers. Exploiting this vulnerability affecting the WinZip Trial popup could allow an adversary to target the users with malware. Make sure to update to the latest WinZip version as it includes the patch for a serious security flaw.
0 Comments
Leave a Reply. |