Re: Can just opening a winzip file introduce virus?
- From: "Roger Wilco" <yesman@xxxxxxxxxxxxxxxxxxx>
- Date: Sat, 26 Nov 2005 20:51:06 -0500
"Uriel" <urielw@xxxxxxxxxx> wrote in message
news:j36if.8012$e43.495746@xxxxxxxxxxxxxxxxxxxxxxxx
> >> 1. MERELY OPENING a .ZIP file (with any version of Winzip) cannot
do
> >> anything harmful to your system.
>
> >Wrong, in fact what they are saying is the most all versions prior to
9.0
> >sp1 are indeed vulnerable to foreign code being run simply by
attempting to
> >open a ZIP file.
>
> But what YOU wrote earlier (in your post sent Friday, November 25,
2005
> 10:56 AM), to explain the vulnerability, was:
>
> --------------------------------
> If the zipfile were unpacked and the malformed MIME within invoked
> (double-clicked) WinZip would attempt to open that malformed file (it
is
> presumedly registered as a WinZip associated filetype by extension)
and
> foreign code could execute.
> --------------------------------
>
> That to me says that to execute the foreign code I have to (1) open a
zip
> file, then (2) manually invoke the MIME file within.
Yes, that would be a scenario for the older vulnerabilities. The point I
was trying to make was the danger of just opening the MIME filetypes
with WinZip is probably just the same as the danger of just opening the
ZIP file with the new exploit code within. There was no good explanation
of the new vulnerabilities (they don't want to tip their hand) but the
new exploit is most likely the same with the unexplained one as it is
with the explained one and just as dangerous.
If you got a MIME file (with one of those listed extensions) as an
attachment to an e-mail and decided to open it with WinZip you would not
have the double-opening scenario I posted - but I didn't think it too
likely that such a file would be sent by itself and have it occur to
anyone that WinZip would be the application to use to open it. If a .zip
contained a .hqx file it would be more likely to happen. The old
vunlerabilities (which do pertain to your version) were only referred to
because there is more explanation of how it works than there was for the
new vulnerabilities which probably work in a similar manner.
> It seems you had in mind that old versions of Winzip also have some
> additional, separate vulnerability; but you didn't mention it.
Well, ... you asked "Can just opening a winzip file introduce virus" and
I tried to do more than just say "yes". The fact is that most any file
can contain malware if the application software using that file is
broken. The recent vulnerabilities that affect WinZip indeed do open up
that avenue, yet the additional information about how this can be could
only be relayed to you via the older "explained" ones where you could
even view exploit source code.
> >The more recent vulnerabilities were discovered by the WinZip company
> >themselves, so you can't really blame them for not releasing too many
> >details or exploit code.
>
> I very much blame them for neglecting to warn their customers if
indeed it's
> true that MERELY OPENING a .ZIP file can execute foreign code. So far
I'm
> unaware of any warning to that effect anywhere on their site.
At this time there is no exploit code that does this, except the
non-executing code that may crash WinZip. It is not that dangerous NOW,
but they warn of the possibility it could get worse when someone
discovers how to place code where needed.
> >They are of the opinion that the vulnerability can go beyond the mere
> >crashing of WinZip and allow remote code execution and compromising
of the
> >affected machine, even though there is no exploit code for this
scenario at
> >the present time.
>
> Well, I've got the .ZIP file a spammer sent me. Does anyone want it?
You could submit it to "Virustotal" and see what they tag it as ... if
they detect it as malware.
> This part of my earlier post was unfortunately confusing:
>
> --------------------------------
> 3. From what you say, even the mere act of opening a .MIM file cannot
do
> anything harmful to your system. (You'd also have to double-click a
> contained file to execute foreign code.)
> --------------------------------
>
> What I meant was that I'd gathered from what you said ("If the zipfile
were
> unpacked and the malformed MIME within invoked....") that it's not
dangerous
> to merely open any file (ZIP, MIM, whatever) with Winzip; to risk
executing
> foreign code you'd also have to do the second step of invoking a
contained
> file.
> (But I now gather that's not what you meant to say.)
Right, any way that you use WinZip to attempt to open maliciously
crafted files of any listed extensions will bite you. This goes for the
new vulnerabilities associated with *.ZIP as well as it did for the
other MIME types listed. At present the only bite from *.ZIP concerning
the new vulnerabilities is a crash of the WinZip application if I
understood them correctly.
.
- Follow-Ups:
- References:
- Can just opening a winzip file introduce virus?
- From: Uriel
- Re: Can just opening a winzip file introduce virus?
- From: Gabriele Neukam
- Re: Can just opening a winzip file introduce virus?
- From: Uriel
- Re: Can just opening a winzip file introduce virus?
- From: Roger Wilco
- Re: Can just opening a winzip file introduce virus?
- From: Uriel
- Re: Can just opening a winzip file introduce virus?
- From: Roger Wilco
- Re: Can just opening a winzip file introduce virus?
- From: Uriel
- Can just opening a winzip file introduce virus?
- Prev by Date: Re: Hard disk becomes floppy
- Next by Date: Re: ADDAWARE keeps downloading trojan
- Previous by thread: Re: Can just opening a winzip file introduce virus?
- Next by thread: Re: Can just opening a winzip file introduce virus?
- Index(es):
Relevant Pages
|
