
             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

  WinZip Vulnerable to Buffer Overflow in Handling of MIME Archive Parameters
                              [US-CERT VU#116182]

March 4, 2004 20:00 GMT                                           Number O-092
______________________________________________________________________________
PROBLEM:       A vulnerability exists in the WinZip program. The vulnerability 
               does not affect .ZIP files. Instead, it affects the 
               MIME-encoded files that WinZip is also able to work with. 
SOFTWARE:      WinZip 6.2 and earlier, as well as WinZip 8.1, WinZip 8.1 SR-1, 
               beta versions of WinZip 9.0 
DAMAGE:        The problem involves a buffer overflow that can be triggered by 
               invalid data in a MIME-encoded file. MIME-encoded file 
               extensions include: .MIM, .UUE, .UU, .B64, .BHX, .HQX, and 
               .XXE. Any file whose extension begins with the letters .UU 
               could also be affected, although with the exception of the .UU 
               and .UUE extensions, these files would not normally be 
               associated with WinZip and are therefore not likely to be 
               opened by WinZip. 
SOLUTION:      Upgrade to the current version. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. A buffer overflow occurs and could allow a 
ASSESSMENT:    remote attacker to execute arbitrary code on a vulnerable 
               system. This software is a widely used application. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/o-092.shtml 
 ORIGINAL BULLETIN:  http://www.kb.cert.org/vuls/id/116182 
______________________________________________________________________________

[***** Start US-CERT VU#116182 *****]

Vulnerability Note VU#116182

WinZip vulnerable to buffer overflow in handling of MIME archive parameters
Overview

A buffer overflow vulnerability in the WinZip program could allow a remote attacker 
to execute arbitrary code on a vulnerable system. 

I. Description

WinZip Computing, Inc.'s WinZip is a popular utility for creating and extracting a 
variety of archive file formats on Microsoft Windows-based systems. A buffer overflow 
error exists in the way that WinZip handles certain parameters of MIME archives. 
This error results in a vulnerability when WinZip attempts to interpret invalid data 
in a MIME-encoded file.

An attacker could exploit this vulnerability by introducing a specially-crafted file 
to be opened by WinZip, and then coaxing or tricking a user or application into opening 
it. The malicious file could be introduced in a number of ways including, but not limited 
to, a remote web page, an email attachment, peer-to-peer file sharing, or network 
filesystems. 

II. Impact

An attacker could execute arbitrary code of their choice on a vulnerable system. 

III. Solution

Upgrade to the latest version of the software 

WinZip Computing, Inc. has released an updated version of the WinZip software that 
includes a fix for this vulnerability. Users are strongly encouraged to upgrade to 
this version of the software. More details can be found in the Systems Affected section 
of this document.


Systems Affected
Vendor Status Date Updated 
WinZip Vulnerable 27-Feb-2004 

References

http://www.winzip.com
http://www.idefense.com/application/poi/display?id=76&type=vulnerabilitiies 

Credit
Thanks to iDefense Security Advisory for reporting this vulnerability. 

This document was written by Chad R Dougherty based on information provided by 
iDefense and WinZip 

Other Information
Date Public 02/27/2004 
Date First Published 03/01/2004 09:56:23 AM 
Date Last Updated 03/01/2004 
CERT Advisory   
CVE Name   
Metric 7.70 
Document Revision 9 

[***** End US-CERT VU#116182 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of US-CERT for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

O-082: Red Hat Updated Kernel Packages Resolve Security Vulnerabilities
O-083: Red Hat Updated Metamail Packages Fix Vulnerabilities
O-084: Zone Labs SMTP Processing Vulnerability
O-085: Vulnerability in SMB Parsing in ISS Products
O-086: Red Hat Updated libxml2 Packages Fix Security Vulnerability
O-087: Red Hat Updated util-linux  Packages Fix Information Leak
O-088: Sun passwd(1) Command Vulnerability
O-089: Sun Security Vulnerability in "/usr/lib/print/conv_fix"
O-090: Vulnerability in Novell Client Firewall Tray Icon
O-091: Adobe Reader 5.1 XFDF Buffer Overflow Vulnerability