WinZip 9.0 Service Release 1 (SR-1)

Please see this note about end of support for WinZip 9.

Q: What is WinZip 9.0 SR-1?
A: WinZip 9.0 Service Release 1 (SR-1) is a maintenance release of WinZip 9.0 containing important security-related fixes and improvements to WinZip. It was posted on the WinZip web site on August 26, 2004.

WinZip Computing recommends that users of all earlier versions of WinZip, including users of the initial release of WinZip 9.0, upgrade to WinZip 9.0 SR-1 or newer.

Q: What has changed in WinZip 9.0 SR-1?
A: The main changes in WinZip 9.0 SR-1 include:
  • A number of general internal improvements have been made to the WinZip program to enhance security and reliability. In the course of its internal review and testing, WinZip Computing also identified and addressed some specific cases where security vulnerabilities, including potential buffer overflows, existed in previous versions of WinZip.

    As of the release of WinZip 9.0 SR-1, WinZip Computing was not aware that any of these vulnerabilities had been publicly described or exploited. However, WinZip Computing recommends that all WinZip users upgrade to WinZip 9.0 SR-1 to avoid the possibility of future exploitation of these vulnerabilities.

  • WinZip 9.0 SR-1 also addresses a buffer overflow issue privately reported by a WinZip user that could be triggered by specially-crafted invalid input on the WinZip command line.

    As of the release of WinZip 9.0 SR-1, WinZip Computing was not aware of this vulnerability being exploited, and believes that exploitation would only be likely on a system whose security had already been compromised in some other way.

  • The main visible change in WinZip 9.0 SR-1 is that WinZip now displays caution messages in some situations, such as when a user double-clicks on a .EXE file compressed within a Zip file, to warn that the compressed file has a file type that could potentially contain a virus. WinZip users who frequently need to work with the file types involved can easily turn the caution messages off.

WinZip Computing has also released WinZip Command-Line Support Add-On 1.1 SR-1. Users of the WinZip Command-Line Support Add-On should also upgrade to this maintenance release, because it contains important security-related fixes and improvements similar to those in WinZip 9.0 SR-1.

Q: How do I know whether I already have WinZip 9.0 SR-1?
A: You can check to see what release of WinZip is currently installed by displaying WinZip's About box as follows:
  • In WinZip Classic mode, click About WinZip from the Help menu
  • In WinZip Wizard mode, click on the About button

If WinZip 9.0 SR-1 is installed, the line with version information will start out with the following text:

     WinZip 9.0 SR-1

If you do not have WinZip 9.0 SR-1, please see the WinZip Upgrade Information Page.

Q: How can I download a copy of WinZip 9.0 SR-1?
A: You can download WinZip 9.0 SR-1 here.

Acknowledgements: We thank WinZip user NoRpiUs for alerting us to the issue involving invalid input to the WinZip command line.