WinZip 9.0 Fixes a Security Issue with MIME-Encoded Files

WinZip 9.0, released in February 2004, contains a fix for a security vulnerability affecting earlier versions of WinZip. The vulnerability does not affect .ZIP files. Instead, it affects the MIME-encoded files that WinZip is also able to work with.

Note: Since this page was originally published, WinZip Computing has released a maintenance release of WinZip 9.0, WinZip 9.0 SR-1. WinZip 9.0 SR-1 addresses the MIME encoding vulnerability discussed here and includes additional important security fixes and improvements. We recommend that all WinZip users upgrade to WinZip 9.0 SR-1.

Q: What is the vulnerability that is fixed in WinZip 9.0?
A: The problem involves a buffer overflow that can be triggered by invalid data in a MIME-encoded file, with one of the extensions listed below, that is opened by earlier versions of WinZip.

An attacker could attempt to use this buffer overflow to create a file that would execute malicious code of their choice when the file was opened by an earlier version of WinZip. The attacker would have to give the file one of the affected extensions, and would then have to trick you into opening the file; for example, by sending it to you as an e-mail attachment.

Q: What types of files are affected?
A: Files with the following extensions, which are by default associated with WinZip and which are used in connection with MIME-encoded data, are affected: .MIM, .UUE, .UU, .B64, .BHX, .HQX, and .XXE.

Other file types associated with WinZip, such as .ZIP, .TAR, and .CAB, are not affected.

Any file whose extension begins with the letters .UU could also be affected, although with the exception of the .UU and .UUE extensions, these files would not normally be associated with WinZip and are therefore not likely to be opened by WinZip.

Merely including files with one of the affected extensions within a ZIP archive, or extracting files with these extensions from a ZIP archive, will not cause a problem. Instead, an invalid file with one of these extensions must be directly opened by WinZip; this would normally happen only if you double click on an invalid file having an extension of .MIM, .B64, .BHX, .HQX, .XXE, .UU, or .UUE.

Q: What older versions of WinZip are affected?
A: This issue affects all earlier versions of WinZip since WinZip 6.2, including WinZip 8.1 and WinZip 8.1 SR-1. Beta test versions of WinZip 9.0 should also be upgraded. The first version of WinZip in which the problem is corrected is WinZip 9.0, released in February, 2004.