Can just opening a winzip file introduce virus?

Uriel · Nov 24, 2005

Can just opening a winzip file introduce virus?

That's what's suggested by http://www.winzip.com/xvirus_tips.htm , which
currently says:

--------------------
Here are some steps that you can take to help protect yourself from being
affected by viruses distributed in Zip files:

Keep Your System Protected and Up-To-Date

WinZip Computing, Inc. recommends that all WinZip users upgrade to the
latest version of WinZip, WinZip 9.0 SR-1, because it contains important
security-related fixes and enhancements.

Robert Baer · Nov 24, 2005

Uriel said:
Can just opening a winzip file introduce virus?

That's what's suggested by http://www.winzip.com/xvirus_tips.htm , which
currently says:

--------------------
Here are some steps that you can take to help protect yourself from being
affected by viruses distributed in Zip files:

Keep Your System Protected and Up-To-Date

WinZip Computing, Inc. recommends that all WinZip users upgrade to the
latest version of WinZip, WinZip 9.0 SR-1, because it contains important
security-related fixes and enhancements.

They aer just looking for $$$

Adam Piggott · Nov 24, 2005

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robert said:
They aer just looking for $$$

If you already have a license, upgrading to 9.0 SR-1 doesn't cost anything.
I did, when it was released, and didn't have any trouble with it.
- --
Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk/

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFDhY/Z7uRVdtPsXDkRAqKwAKCUklpNp4pDJdb0FDXDQV+caEuMvgCeK5iR
QZdj204/z+YeeSqRt8sMrck=
=eyVZ
-----END PGP SIGNATURE-----

Uriel · Nov 24, 2005

www.winzip.com currently offers no upgrades of any kind, no matter what
license you now hold. It only offers to sell version 10.

......

If you already have a license, upgrading to 9.0 SR-1 doesn't cost anything.
I did, when it was released, and didn't have any trouble with it.

.....

Roger Wilco · Nov 24, 2005

Uriel said:
Can just opening a winzip file introduce virus?

That's what's suggested by http://www.winzip.com/xvirus_tips.htm , which
currently says:

--------------------
Here are some steps that you can take to help protect yourself from being
affected by viruses distributed in Zip files:

Keep Your System Protected and Up-To-Date

WinZip Computing, Inc. recommends that all WinZip users upgrade to the
latest version of WinZip, WinZip 9.0 SR-1, because it contains important
security-related fixes and enhancements.

Maybe.

http://secunia.com/advisories/10995

Uriel · Nov 24, 2005

"Maybe" is right. http://secunia.com/advisories/10995 doesn't answer the
question either.

Uriel said:
Can just opening a winzip file introduce virus?

....

Maybe.

http://secunia.com/advisories/10995

Gabriele Neukam · Nov 24, 2005

On that special day, Uriel, ([email protected]) said...

Here are some steps that you can take to help protect yourself from being
affected by viruses distributed in Zip files:

There is already an error in this line. The vulnerability will be
abused by a *trojan horse function*, which of course may be *part* of a
self replicating file, which again is a *worm*. Viruses *insert*
themselves into other programs, and are started when running said
infected programs.

Exploiting a buffer overflow is not initiated by running an infected
program, it is an attack on badly implemented functions, often caused
by (consciuosly) malformed header informations in a prepared file.

Read for example
http://secunia.com/advisories/17420/

Gabriele Neukam

(e-mail address removed)

Uriel · Nov 24, 2005

In principle, something that properly fits the definition of a virus could
be distributed in a zip file. The problem with

Here are some steps that you can take to help protect yourself from being
affected by viruses distributed in Zip files:

is that it's ambiguous. "Distributed" how? "Distributed" in the sense that
the zip file contains an .exe which, when run, introduces a virus onto the
system?

You mention "The vulnerability." What IS winzip 8's vulnerability problem?
Is this actually documented anywhere?

On that special day, Uriel, ([email protected]) said...

Here are some steps that you can take to help protect yourself from being
affected by viruses distributed in Zip files:

There is already an error in this line. The vulnerability will be
abused by a *trojan horse function*, which of course may be *part* of a
self replicating file, which again is a *worm*. Viruses *insert*
themselves into other programs, and are started when running said
infected programs.

Exploiting a buffer overflow is not initiated by running an infected
program, it is an attack on badly implemented functions, often caused
by (consciuosly) malformed header informations in a prepared file.

Read for example
http://secunia.com/advisories/17420/

Gabriele Neukam

(e-mail address removed)

BobT · Nov 25, 2005

www.winzip.com currently offers no upgrades of any kind, no matter what
license you now hold. It only offers to sell version 10.

Not free, but half price for present license holders. I really can't
complain, my present license is from 1995.

Gabriele Neukam · Nov 25, 2005

On that special day, Uriel, ([email protected]) said...

You mention "The vulnerability." What IS winzip 8's vulnerability problem?
Is this actually documented anywhere?

This vulnerability is at first a theoretical one. I gave an example
below, you'll only have to follow the link.

If this isn't enough convincing, read

http://www.juniper.net/security/auto/vulnerabilities/vuln1977.html
and note the line
"Affected Products:
Microsoft Corporation Windows Various
WinZip International LLC WinZip 9.0 and before"

Solution: Install WinZip 9.01 or higher. How many people read this
advisory and will heed this advice?

This specific flaw would basically crash WinZip. But if someone finds
out where to place the code, that it will end in a working portion of
the ram, it might turn into a real danger.

Such things have happened before, as with
http://www.microsoft.com/technet/security/advisory/911302.mspx

And WinZip is spread wide enough, that someone might feel inclined to
test the possibilities of a WinZip worm.

Gabriele Neukam

(e-mail address removed)

Roger Wilco · Nov 25, 2005

If exploiting a vulnerability can "introduce" foreign code, then it can
"introduce" a virus. This doesn't mean that it is a normal spreading
vector for the virus (that would be closer to a worm anyway), but there
is nothing preventing the foreign code from "introducing" anything the
attacker wants - it could introduce a downloader that downloads and
executes anything the attacker desires.

Security advisories often react to what "could" happen not only to what
is actually actively happening in the wild.

Sorry if I got the version wrong, but any more recent concerns are
probably quite similar.

Roger Wilco · Nov 25, 2005

Uriel said:
In principle, something that properly fits the definition of a virus could
be distributed in a zip file. The problem with

is that it's ambiguous. "Distributed" how? "Distributed" in the sense that
the zip file contains an .exe which, when run, introduces a virus onto the
system?

Yes, this is what distributing means. The direct transmission of a virus
would be called "spreading" as in the "spreading mode"
of a virus. If the zipfile were unpacked and the malformed MIME within
invoked (double-clicked) WinZip would attempt to open that malformed
file (it is presumedly registered as a WinZip associated filetype by
extension) and foreign code could execute.

You mention "The vulnerability." What IS winzip 8's vulnerability problem?
Is this actually documented anywhere?

Easily found on the URL I posted earlier, there is this one.

http://www.winzip.com/fmwz90.htm ... maybe...this one is better

)

If not, maybe

http://www.idefense.com/application/poi/display?id=76&type=vulnerabilitiies&flashstatus=true

You can probably dig around there and find the POC they refer to in the
text.

Uriel · Nov 25, 2005

Yes, this is what distributing means. The direct transmission of a virus

would be called "spreading"

Sorry if I used the wrong terminology. So, I gather that:

1. MERELY OPENING a .ZIP file (with any version of Winzip) cannot do
anything harmful to your system.

2. Obviously, a .ZIP file can contain an .EXE with a virus and so can be
used to "distribute" a virus.

If the zipfile were unpacked and the malformed MIME within invoked
(double-clicked) WinZip would attempt to open that malformed file (it is
presumedly registered as a WinZip associated filetype by extension) and
foreign code could execute.

3. From what you say, even the mere act of opening a .MIM file cannot do
anything harmful to your system. (You'd also have to double-click a
contained file to execute foreign code.)

4. However, the link you provide this time --
http://www.winzip.com/fmwz90.htm -- contradicts what you say. There it warns
that MERELY OPENING a .MIM file, with older versions of Winzip, can cause
foreign code to execute. Same can happen by MERELY OPENING files with
extensions .B64, .BHX, .HQX, .UUE, .UU, and .XXE.

I'd also note:

- There's no way I can see to find this warning at the winzip.com homepage.

- http://www.winzip.com/fmwz90.htm says that "All registered users of
earlier English-language versions of WinZip are eligible to download a FREE
upgrade to WinZip 9.0," but I applied yesterday and have yet to hear back.
(I'm registered for v. 8.1.)

- Some spammer has sent me a 22-byte .ZIP file, which doesn't seem to have
much purpose unless MERELY OPENING .ZIP files CAN, in fact, cause foreign
code to execute.

Uriel said:
In principle, something that properly fits the definition of a virus could
be distributed in a zip file. The problem with

is that it's ambiguous. "Distributed" how? "Distributed" in the sense that
the zip file contains an .exe which, when run, introduces a virus onto the
system?

Yes, this is what distributing means. The direct transmission of a virus
would be called "spreading" as in the "spreading mode"
of a virus. If the zipfile were unpacked and the malformed MIME within
invoked (double-clicked) WinZip would attempt to open that malformed
file (it is presumedly registered as a WinZip associated filetype by
extension) and foreign code could execute.

You mention "The vulnerability." What IS winzip 8's vulnerability problem?
Is this actually documented anywhere?

Easily found on the URL I posted earlier, there is this one.

http://www.winzip.com/fmwz90.htm ... maybe...this one is better

)

If not, maybe

http://www.idefense.com/application/poi/display?id=76&type=vulnerabilitiies&flashstatus=true

You can probably dig around there and find the POC they refer to in the
text.

Robert Baer · Nov 26, 2005

Gabriele said:
On that special day, Uriel, ([email protected]) said...

This vulnerability is at first a theoretical one. I gave an example
below, you'll only have to follow the link.

If this isn't enough convincing, read

http://www.juniper.net/security/auto/vulnerabilities/vuln1977.html
and note the line
"Affected Products:
Microsoft Corporation Windows Various
WinZip International LLC WinZip 9.0 and before"

Solution: Install WinZip 9.01 or higher. How many people read this
advisory and will heed this advice?

This specific flaw would basically crash WinZip. But if someone finds
out where to place the code, that it will end in a working portion of
the ram, it might turn into a real danger.

Such things have happened before, as with
http://www.microsoft.com/technet/security/advisory/911302.mspx

And WinZip is spread wide enough, that someone might feel inclined to
test the possibilities of a WinZip worm.

Gabriele Neukam

(e-mail address removed)

Even Pkzip/unzip from Feb 1993?

Gabriele Neukam · Nov 26, 2005

On that special day, Robert Baer, ([email protected]) said...

Even Pkzip/unzip from Feb 1993?

No idea. They were specifically talking about WinZip, and other packers
aren't mentioned at all. Theoretically, I could try it with an
alternative archiver like ALzip or 7zip, but that required a machine
that is still needed afterwards, so I can't check it out.

Gabriele Neukam

(e-mail address removed)

Gabriele Neukam · Nov 26, 2005

On that special day, Uriel, ([email protected]) said...

- Some spammer has sent me a 22-byte .ZIP file, which doesn't seem to have
much purpose unless MERELY OPENING .ZIP files CAN, in fact, cause foreign
code to execute.

It might be an archive bomb, that doesn't execute, but is set up in a
recursive way (arche-in-.archive-in-archive-in-) that eats up all
resources and brings your computer (even the fastest one) to a halt.

Especially if this "archive" is named 42.zip.
http://www.securityspace.com/smysecure/catid.html?id=11036

Gabriele Neukam

(e-mail address removed)

Uriel · Nov 26, 2005

The information at
http://www.securityspace.com/smysecure/catid.html?id=11036 is gibberish, at
least to me.

The "description" reads:

-----------
This script sends the 42.zip recursive archive to the
mail server. If there is an antivirus filter, it may start eating huge
amounts of CPU or memory.
-----------

What does "this script" refer to?? Which product does this vulnerability
apply to? Winzip?

My best guess -- and it's only a guess -- is that the problem product is
some kind of buggy antivirus scanner, though which one in particular I have
no idea.

And if there's any reason why the NAME of the zip file that causes the
problem has to be 42.zip, I don't see it.

On that special day, Uriel, ([email protected]) said...

- Some spammer has sent me a 22-byte .ZIP file, which doesn't seem to have
much purpose unless MERELY OPENING .ZIP files CAN, in fact, cause foreign
code to execute.

It might be an archive bomb, that doesn't execute, but is set up in a
recursive way (arche-in-.archive-in-archive-in-) that eats up all
resources and brings your computer (even the fastest one) to a halt.

Especially if this "archive" is named 42.zip.
http://www.securityspace.com/smysecure/catid.html?id=11036

Gabriele Neukam

(e-mail address removed)

Gabriele Neukam · Nov 26, 2005

On that special day, Uriel, ([email protected]) said...

What does "this script" refer to?? Which product does this vulnerability
apply to? Winzip?

No it is a script on this site, that sends the 42.zip to your
mailserver (exactly what it said). The 42.zip is on the same server as
the web page, and you may ask the web page for this file, but are
warned not to do so, if you don't want to risk your mail server, in
case you might still need it working.

I chose this page, because it gave a fairly concise description about
what it can do to your system (unzipping it manually, or with an anti
virus scanner, that checks archives for malware, and won't stop in
time).

Gabriele Neukam

(e-mail address removed)

Uriel · Nov 26, 2005

But you haven't answered the question:

Which product does this vulnerability apply to?

I gather it is some kind of software package for mail servers. How does that
apply to me, or to a normal Winzip user? I'm not an administrator for a mail
server. I'm a simple user. My ISP takes care of the mail servers I use, not
me.

I chose this page, because it gave a fairly concise description about what
it can do to your system (unzipping it manually, or with an anti virus
scanner, that checks archives for malware, and won't stop in time).

What it can do to *my* system? Or my ISP's systems?

On that special day, Uriel, ([email protected]) said...

What does "this script" refer to?? Which product does this vulnerability
apply to? Winzip?

No it is a script on this site, that sends the 42.zip to your
mailserver (exactly what it said). The 42.zip is on the same server as
the web page, and you may ask the web page for this file, but are
warned not to do so, if you don't want to risk your mail server, in
case you might still need it working.

I chose this page, because it gave a fairly concise description about
what it can do to your system (unzipping it manually, or with an anti
virus scanner, that checks archives for malware, and won't stop in
time).

Gabriele Neukam

(e-mail address removed)

Roger Wilco · Nov 26, 2005

Uriel said:
Sorry if I used the wrong terminology. So, I gather that:

1. MERELY OPENING a .ZIP file (with any version of Winzip) cannot do
anything harmful to your system.

Wrong, in fact what they are saying is the most all versions prior to
9.0 sp1 are indeed vulnerable to foreign code being run simply by
attempting to open a ZIP file. The mechanism involved is likely similar
to the older described vulnerabilities I posted links to. The more
recent vulnerabilities were discovered by the WinZip company themselves,
so you can't really blame them for not releasing too many details or
exploit code.

They are of the opinion that the vulnerability can go beyond the mere
crashing of WinZip and allow remote code execution and compromising of
the affected machine, even though there is no exploit code for this
scenario at the present time.

2. Obviously, a .ZIP file can contain an .EXE with a virus and so can be
used to "distribute" a virus.

Yes, and as Gabriel mentioned it is more a wormlike activity to do this.
Some malware is 'distributed' by posting a dropper trojan to usenet.

3. From what you say, even the mere act of opening a .MIM file cannot do
anything harmful to your system.

I don't beleive I said any such thing, in fact quite the opposite. The
above is a scenario where the crafted MIME was zipped and the resulting
zipfile when unzipped would reveal a MIME (*.mim) and then you would
have to cause WinZip to attempt to open that file to get bit. The newer
vulnerabilities affect the zipfile (*.zip) itself.

(You'd also have to double-click a
contained file to execute foreign code.)

Not really - the thing here is that non-executable filetypes (the listed
data files) could be crafted to cause WunZip to execute some of that
crafted data as code.

The older vulnerabilities I referenced say exactly the opposite of what
you are inferring - the fact is that you CAN be the victim of malicious
code by merely attempting to open certain filetypes (listed by their
extension) - that vulnerability wasn't strictly for (*.zip), but the
newer ones are.

4. However, the link you provide this time --
http://www.winzip.com/fmwz90.htm -- contradicts what you say. There it warns
that MERELY OPENING a .MIM file, with older versions of Winzip, can cause
foreign code to execute. Same can happen by MERELY OPENING files with
extensions .B64, .BHX, .HQX, .UUE, .UU, and .XXE.

That is correct - by merely having the vulnerable WinZip application
attempt to open the file. I'm sure they can be opened safely by other
applications. The problem is the WinZip application, not a problem with
zipfiles in general - and this is why upgrading to at least 9.0 sp1 is
needed. Your version is probably vulnerable to ALL of the
vulnerabilities mentioned.

Can just opening a winzip file introduce virus?

Uriel

Robert Baer

Adam Piggott

Uriel

Roger Wilco

Uriel

Gabriele Neukam

Uriel

BobT

Gabriele Neukam

Roger Wilco

Roger Wilco

Uriel

Robert Baer

Gabriele Neukam

Gabriele Neukam

Uriel

Gabriele Neukam

Uriel

Roger Wilco