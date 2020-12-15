A failure in WinZip’s communication system with its update servers could allow malware to be installed on the program’s users’ computers, leading to data theft and other criminal actions. The vulnerability was discovered by security company Trustwave and revealed last Thursday (10).

According to the company, older versions of the popular file compactors were using an unsecured connection to update themselves. The communication between the software and the servers was made through an unencrypted file, which could be manipulated by hackers connected to the same network, leading to the installation of malicious programs.

Security experts conducted several tests exploring the vulnerability in WinZip and were able to install malware from it. In addition, the team was able to modify the pop-up windows displayed in the free versions of the program, adding false information to the feature.

The company also said that the confidential data of whoever uses the application, including the user name and registration numbers, were being decrypted over this connection. With the absence of protection mechanisms, cybercriminals would be able to access them easily.

Update fixes the problem

The loophole was open until WinZip 24, but has since been corrected after the Trustwave alert. In version 25 of the compactor, communications between the program and the servers are carried out using the HTTPS protocol, making it difficult for potential attackers.

Therefore, users of older versions of WinZip should update them to the latest one in order to eliminate the flaw. If for some reason the update is not possible, the recommendation is to disable the automatic update check, cutting off the communication between the software and the servers – in this case, the process can be done manually.

According to the company, there are no reports that the vulnerability has been exploited by cyber criminals.



