 |
 Two popular Windows applications found susceptible to security flaws
September 8, 2004
Recently, two popular desktop applications were discovered to carry potentially severe flaws enabling skilled masterminds to access stricken computers. Fallen today are the bellwethers of compression and multimedia segment, infamous WinZip and WinAmp applications.
A serious security flaw in NullSoft's popular WinAmp player opens the door for crackers to seize control of vulnerable systems.
The vulnerability stems from a flaw in how the player processes Winamp skin "zip" files. This may result in unwary users visiting a maliciously constructed website and finding their PCs infected. The vulnerability has been confirmed on a fully patched system with WinAmp 5.04 using Internet Explorer 6.0 running on Microsoft Windows XP SP1. Users of older WinAmp versions are also potentially in danger. As K-OTik.COM Security Survey Team reports, the bug in being actively exploited in the wild.
To combat the situation, Nullsoft has released an updated version of Winamp that addresses the vulnerability. You can download Winamp version 5.5 by clicking this link.
As for WinZip, windows clients running the popular WinZip application are at risk from a number of critical security flaws, according to WinZip Computing and security researchers.
WinZip versions 3.x, 6.x, 7.x, 8.x and 9.x contain vulnerabilities that could allow an attacker to execute malicious code on a Windows PC, the vendor warned. In an advisory on Thursday, Danish security firm Secunia gave the bugs a "highly critical" rating, the fourth-highest out of its five severity levels.
While no exploits are known to be circulating, the wide deployment of WinZip makes the vulnerabilities important to patch immediately, WinZip said. Users of older WinZip versions must upgrade to version 9.x in order to get the fix, which is contained in WinZip 9.0 Service Release 1 (SR1). "WinZip Computing recommends that all WinZip users upgrade to WinZip 9.0 SR1 to avoid the possibility of future exploitation of these vulnerabilities," the company said. The update can be found on WinZip's site.
According to WinZip and Secunia, previous versions of WinZip contain potential buffer overflows which could allow an attacker to execute malicious code. In addition, the update fixes a security hole reported to WinZip by an undisclosed user, which could allow an attacker to take over a system by sending a specially-crafted invalid input at the WinZip command line. The command line bug could probably only be exploited on a system whose security had already been compromised in some other way, the company said.
"As of the release of WinZip 9.0 SR1, WinZip Computing was not aware that any of these vulnerabilities had been publicly described or exploited," the company said.
|
|
