An attacker could potentially exploit unspecified buffer overflow vulnerabilities in WinZip to execute arbitrary...
code or gain access to systems, SecurityTracker said in an advisory.
The Silver Spring, Md.-based vulnerability watchdog said the flaws affect 9.0 and prior versions of WinZip, a file-compressing utility for Windows. The advisory said they could be exploited to execute arbitrary code and gain user access via a local system or network.
"When you're able to execute arbitrary code, you can do anything," said Michael Haisley, a handler for the Bethesda, Md.-based Internet Storm Center, a service of the SANS Institute. "In the past, zip files were considered safe. That has proven not to be the case."
Haisley noted that vulnerabilities in WinZip were also discovered back in February. While there's no indication that the latest flaws have been exploited, he warned this is the type of flaw attackers traditionally use to launch malicious code. His advice to users: "Keep your antivirus software as updated as possible and don't open files you're not expecting."
Mansfield, Conn.-based WinZip Computing Inc. reported that it discovered the problems during an internal review of the WinZip code, SecurityTracker said. The company has since upgraded version 9.0 to fix the vulnerabilities.
In a message on its Web site, the Internet Storm Center reiterated the importance of keeping up with new security updates.
"Vulnerabilities in very popular third-party software products should be a significant concern for organizations that have not deployed comprehensive patch-management solutions," the storm center said. "Configuring systems to automate the process of installing patches for Microsoft products is a welcome feature, but does not adequately address third-party software. Other examples of recent vulnerabilities in third-party software include Adobe Acrobat Reader, Sun Java Runtime Engine and AOL Instant Messenger."
This article originally appeared on SearchSecurity.com.