Can just opening a winzip file introduce virus?

[Roger Wilco]

- http://www.winzip.com/fmwz90.htm says that "All registered users of
earlier English-language versions of WinZip are eligible to download a FREE
upgrade to WinZip 9.0,

You will be wanting WinZip 9.0 SP1 or better - 9.0 itself is vulnerable
to the new bugs.

- Some spammer has sent me a 22-byte .ZIP file, which doesn't seem to have
much purpose unless MERELY OPENING .ZIP files CAN, in fact, cause foreign
code to execute.

At this point in time for the WinZip 9.0 (not SP1) a small zipfile can
cause a crash of the WinZip application and the vendor warns that it
might not be too long before someone figures out how to leverage this
vulnerability into a foreign code execution exploit. It is possible that
some cyber-vandal has spammed WinZip crasher exploits just for fun.
there is probably someone working on a worm that uses this as we speak.

 

[Uriel]

1. MERELY OPENING a .ZIP file (with any version of Winzip) cannot do

Wrong, in fact what they are saying is the most all versions prior to 9.0
sp1 are indeed vulnerable to foreign code being run simply by attempting to
open a ZIP file.

But what YOU wrote earlier (in your post sent Friday, November 25, 2005
10:56 AM), to explain the vulnerability, was:

--------------------------------
If the zipfile were unpacked and the malformed MIME within invoked
(double-clicked) WinZip would attempt to open that malformed file (it is
presumedly registered as a WinZip associated filetype by extension) and
foreign code could execute.
--------------------------------

That to me says that to execute the foreign code I have to (1) open a zip
file, then (2) manually invoke the MIME file within.

It seems you had in mind that old versions of Winzip also have some
additional, separate vulnerability; but you didn't mention it.

The more recent vulnerabilities were discovered by the WinZip company
themselves, so you can't really blame them for not releasing too many
details or exploit code.

I very much blame them for neglecting to warn their customers if indeed it's
true that MERELY OPENING a .ZIP file can execute foreign code. So far I'm
unaware of any warning to that effect anywhere on their site.

They are of the opinion that the vulnerability can go beyond the mere
crashing of WinZip and allow remote code execution and compromising of the
affected machine, even though there is no exploit code for this scenario at
the present time.

Well, I've got the .ZIP file a spammer sent me. Does anyone want it?

This part of my earlier post was unfortunately confusing:

--------------------------------
3. From what you say, even the mere act of opening a .MIM file cannot do
anything harmful to your system. (You'd also have to double-click a
contained file to execute foreign code.)
--------------------------------

What I meant was that I'd gathered from what you said ("If the zipfile were
unpacked and the malformed MIME within invoked....") that it's not dangerous
to merely open any file (ZIP, MIM, whatever) with Winzip; to risk executing
foreign code you'd also have to do the second step of invoking a contained
file.

(But I now gather that's not what you meant to say.)

Sorry if I used the wrong terminology. So, I gather that:

1. MERELY OPENING a .ZIP file (with any version of Winzip) cannot do
anything harmful to your system.

Wrong, in fact what they are saying is the most all versions prior to
9.0 sp1 are indeed vulnerable to foreign code being run simply by
attempting to open a ZIP file. The mechanism involved is likely similar
to the older described vulnerabilities I posted links to. The more
recent vulnerabilities were discovered by the WinZip company themselves,
so you can't really blame them for not releasing too many details or
exploit code.

They are of the opinion that the vulnerability can go beyond the mere
crashing of WinZip and allow remote code execution and compromising of
the affected machine, even though there is no exploit code for this
scenario at the present time.

2. Obviously, a .ZIP file can contain an .EXE with a virus and so can be
used to "distribute" a virus.

Yes, and as Gabriel mentioned it is more a wormlike activity to do this.
Some malware is 'distributed' by posting a dropper trojan to usenet.

3. From what you say, even the mere act of opening a .MIM file cannot do
anything harmful to your system.

I don't beleive I said any such thing, in fact quite the opposite. The
above is a scenario where the crafted MIME was zipped and the resulting
zipfile when unzipped would reveal a MIME (*.mim) and then you would
have to cause WinZip to attempt to open that file to get bit. The newer
vulnerabilities affect the zipfile (*.zip) itself.

(You'd also have to double-click a
contained file to execute foreign code.)

Not really - the thing here is that non-executable filetypes (the listed
data files) could be crafted to cause WunZip to execute some of that
crafted data as code.

The older vulnerabilities I referenced say exactly the opposite of what
you are inferring - the fact is that you CAN be the victim of malicious
code by merely attempting to open certain filetypes (listed by their
extension) - that vulnerability wasn't strictly for (*.zip), but the
newer ones are.

4. However, the link you provide this time --
http://www.winzip.com/fmwz90.htm -- contradicts what you say. There it warns
that MERELY OPENING a .MIM file, with older versions of Winzip, can cause
foreign code to execute. Same can happen by MERELY OPENING files with
extensions .B64, .BHX, .HQX, .UUE, .UU, and .XXE.

That is correct - by merely having the vulnerable WinZip application
attempt to open the file. I'm sure they can be opened safely by other
applications. The problem is the WinZip application, not a problem with
zipfiles in general - and this is why upgrading to at least 9.0 sp1 is
needed. Your version is probably vulnerable to ALL of the
vulnerabilities mentioned.

 

[Roger Wilco]

But what YOU wrote earlier (in your post sent Friday, November 25, 2005
10:56 AM), to explain the vulnerability, was:

--------------------------------
If the zipfile were unpacked and the malformed MIME within invoked
(double-clicked) WinZip would attempt to open that malformed file (it is
presumedly registered as a WinZip associated filetype by extension) and
foreign code could execute.

Yes, that would be a scenario for the older vulnerabilities. The point I
was trying to make was the danger of just opening the MIME filetypes
with WinZip is probably just the same as the danger of just opening the
ZIP file with the new exploit code within. There was no good explanation
of the new vulnerabilities (they don't want to tip their hand) but the
new exploit is most likely the same with the unexplained one as it is
with the explained one and just as dangerous.

If you got a MIME file (with one of those listed extensions) as an
attachment to an e-mail and decided to open it with WinZip you would not
have the double-opening scenario I posted - but I didn't think it too
likely that such a file would be sent by itself and have it occur to
anyone that WinZip would be the application to use to open it. If a .zip
contained a .hqx file it would be more likely to happen. The old
vunlerabilities (which do pertain to your version) were only referred to
because there is more explanation of how it works than there was for the
new vulnerabilities which probably work in a similar manner.

It seems you had in mind that old versions of Winzip also have some
additional, separate vulnerability; but you didn't mention it.

Well, ... you asked "Can just opening a winzip file introduce virus" and
I tried to do more than just say "yes". The fact is that most any file
can contain malware if the application software using that file is
broken. The recent vulnerabilities that affect WinZip indeed do open up
that avenue, yet the additional information about how this can be could
only be relayed to you via the older "explained" ones where you could
even view exploit source code.

I very much blame them for neglecting to warn their customers if indeed it's
true that MERELY OPENING a .ZIP file can execute foreign code. So far I'm
unaware of any warning to that effect anywhere on their site.

At this time there is no exploit code that does this, except the
non-executing code that may crash WinZip. It is not that dangerous NOW,
but they warn of the possibility it could get worse when someone
discovers how to place code where needed.

Well, I've got the .ZIP file a spammer sent me. Does anyone want it?

You could submit it to "Virustotal" and see what they tag it as ... if
they detect it as malware.

This part of my earlier post was unfortunately confusing:

--------------------------------
3. From what you say, even the mere act of opening a .MIM file cannot do
anything harmful to your system. (You'd also have to double-click a
contained file to execute foreign code.)
--------------------------------

What I meant was that I'd gathered from what you said ("If the zipfile were
unpacked and the malformed MIME within invoked....") that it's not dangerous
to merely open any file (ZIP, MIM, whatever) with Winzip; to risk executing
foreign code you'd also have to do the second step of invoking a contained
file.
(But I now gather that's not what you meant to say.)

Right, any way that you use WinZip to attempt to open maliciously
crafted files of any listed extensions will bite you. This goes for the
new vulnerabilities associated with *.ZIP as well as it did for the
other MIME types listed. At present the only bite from *.ZIP concerning
the new vulnerabilities is a crash of the WinZip application if I
understood them correctly.

 

[Uriel]

[What you wrote in your post] says that to execute the foreign code I

Yes, that would be a scenario for the older vulnerabilities. The point I
was trying to make was the danger of just opening the MIME filetypes with
WinZip is probably just the same as the danger of just opening the ZIP file
with the new exploit code within. There was no good explanation of the new
vulnerabilities (they don't want to tip their hand) but the new exploit is
most likely the same with the unexplained one as it is with the explained
one and just as dangerous.

Roger, you have to write more clearly. It's really hard to make sense of
what you're saying.

What do you mean by:

The point I was trying to make was the danger of just opening the MIME
filetypes with WinZip is probably just the same as the danger of just
opening the ZIP file with the new exploit code within.

The point you made (Friday, November 25, 2005 10:56 AM) about the ZIP type
is that to execute foreign code you have do TWO steps (open file, invoke
contained file).

That is NOT "just the same" as the danger involving the MIME type. As it
says at http://www.winzip.com/fmwz90.htm , with the MIME type you just need
to do a ONE-step process.

But now you're saying there's also a ONE-step danger with the ZIP type:

There was no good explanation of the new vulnerabilities (they don't want
to tip their hand) but the new exploit is most likely the same with the
unexplained one as it is with the explained one and just as dangerous.

This is extremely confusing. I think you mean:

- The "explained" vulnerability is the one they've acknowledged at
http://www.winzip.com/fmwz90.htm ; that's also what you think of as the
"old" vulnerability. That vulnerability only applies to .MIM files.

- Old versions of Winzip are also vulnerable to .ZIP files. That's what you
think of as the "new" vulnerability. But that vulnerability is not
acknowledged anywhere at winzip.com. That's why you call it "unexplained."
But "unexplained" is the wrong term. No one expects an "explanation." But
obviously they should tell customers what actions are dangerous (as they did
with .MIM).

- "[winzip doesn't] want to tip their hand": Confusing. You're using the
wrong expression. What do you mean? Why shouldn't they warn about the .ZIP
vulnerability, as they did about the .MIM one?

FYI, http://www.virustotal.com reports no virus found on that 22-byte .ZIP
file a spammer sent me.

But what YOU wrote earlier (in your post sent Friday, November 25, 2005
10:56 AM), to explain the vulnerability, was:

--------------------------------
If the zipfile were unpacked and the malformed MIME within invoked
(double-clicked) WinZip would attempt to open that malformed file (it is
presumedly registered as a WinZip associated filetype by extension) and
foreign code could execute.

Yes, that would be a scenario for the older vulnerabilities. The point I
was trying to make was the danger of just opening the MIME filetypes
with WinZip is probably just the same as the danger of just opening the
ZIP file with the new exploit code within. There was no good explanation
of the new vulnerabilities (they don't want to tip their hand) but the
new exploit is most likely the same with the unexplained one as it is
with the explained one and just as dangerous.

If you got a MIME file (with one of those listed extensions) as an
attachment to an e-mail and decided to open it with WinZip you would not
have the double-opening scenario I posted - but I didn't think it too
likely that such a file would be sent by itself and have it occur to
anyone that WinZip would be the application to use to open it. If a .zip
contained a .hqx file it would be more likely to happen. The old
vunlerabilities (which do pertain to your version) were only referred to
because there is more explanation of how it works than there was for the
new vulnerabilities which probably work in a similar manner.

It seems you had in mind that old versions of Winzip also have some
additional, separate vulnerability; but you didn't mention it.

Well, ... you asked "Can just opening a winzip file introduce virus" and
I tried to do more than just say "yes". The fact is that most any file
can contain malware if the application software using that file is
broken. The recent vulnerabilities that affect WinZip indeed do open up
that avenue, yet the additional information about how this can be could
only be relayed to you via the older "explained" ones where you could
even view exploit source code.

I very much blame them for neglecting to warn their customers if indeed it's
true that MERELY OPENING a .ZIP file can execute foreign code. So far I'm
unaware of any warning to that effect anywhere on their site.

At this time there is no exploit code that does this, except the
non-executing code that may crash WinZip. It is not that dangerous NOW,
but they warn of the possibility it could get worse when someone
discovers how to place code where needed.

Well, I've got the .ZIP file a spammer sent me. Does anyone want it?

You could submit it to "Virustotal" and see what they tag it as ... if
they detect it as malware.

This part of my earlier post was unfortunately confusing:

--------------------------------
3. From what you say, even the mere act of opening a .MIM file cannot do
anything harmful to your system. (You'd also have to double-click a
contained file to execute foreign code.)
--------------------------------

What I meant was that I'd gathered from what you said ("If the zipfile were
unpacked and the malformed MIME within invoked....") that it's not dangerous
to merely open any file (ZIP, MIM, whatever) with Winzip; to risk executing
foreign code you'd also have to do the second step of invoking a contained
file.
(But I now gather that's not what you meant to say.)

Right, any way that you use WinZip to attempt to open maliciously
crafted files of any listed extensions will bite you. This goes for the
new vulnerabilities associated with *.ZIP as well as it did for the
other MIME types listed. At present the only bite from *.ZIP concerning
the new vulnerabilities is a crash of the WinZip application if I
understood them correctly.

 

[Roger Wilco]

[What you wrote in your post] says that to execute the foreign code I
have to (1) open a zip file, then (2) manually invoke the MIME file
within.

Yes, that would be a scenario for the older vulnerabilities. The point I
was trying to make was the danger of just opening the MIME filetypes with
WinZip is probably just the same as the danger of just opening the ZIP file
with the new exploit code within. There was no good explanation of the new
vulnerabilities (they don't want to tip their hand) but the new exploit is
most likely the same with the unexplained one as it is with the explained
one and just as dangerous.

Roger, you have to write more clearly. It's really hard to make sense of
what you're saying.

Sorry

What do you mean by:


The point you made (Friday, November 25, 2005 10:56 AM) about the ZIP type
is that to execute foreign code you have do TWO steps (open file, invoke
contained file).

That is NOT "just the same" as the danger involving the MIME type. As it
says at http://www.winzip.com/fmwz90.htm , with the MIME type you just need
to do a ONE-step process.

The danger is that due to the mishandling of some data filetypes associated with WinZip, maliciously crafted data files become the
equivalent of executables. How many clicks away it is, is irrelevant.

Usres will even jump through hoops to execute malware.

But now you're saying there's also a ONE-step danger with the ZIP type:

There is a one step danger with all of the types mentioned - you're just not as likely to see some of them.

This is extremely confusing. I think you mean:

- The "explained" vulnerability is the one they've acknowledged at
http://www.winzip.com/fmwz90.htm ; that's also what you think of as the
"old" vulnerability. That vulnerability only applies to .MIM files.

Files with the extensions they mentioned - right.

- Old versions of Winzip are also vulnerable to .ZIP files. That's what you
think of as the "new" vulnerability. But that vulnerability is not
acknowledged anywhere at winzip.com.

I didn't look, but you say it at least isn't prominent on the homepage - and even that is not a good thing. They should make every
effort to inform their customers of the existence of this problem. Only critical details should be withheld.

That's why you call it "unexplained."
But "unexplained" is the wrong term. No one expects an "explanation." But
obviously they should tell customers what actions are dangerous (as they did
with .MIM).

I meant 'unexplained' because the new vulnerability's existence was discovered and announced by WinZip - only the details were
absent. One of your posts asked for more information than just the mere existence of the bug. More "explicit information" would only
be available for the older bugs, so I thought you might want to look at them.

"WinZip Computing, Inc. recommends that all WinZip users upgrade to the
latest version of WinZip, WinZip 9.0 SR-1, because it contains important
security-related fixes and enhancements."

The "important security-related fixes" part would be enough for me.

- "[winzip doesn't] want to tip their hand": Confusing. You're using the
wrong expression.

Referring to the game of "poker" - they don't want to give information to their opponents (the malware writers).

What do you mean? Why shouldn't they warn about the .ZIP
vulnerability, as they did about the .MIM one?

They did didn't they? They both discovered and announced it. They recommend upgrading to sp1.

Last I read, this vulnerability is still only a "crash the application" exploit target, not a major problem.

FYI, http://www.virustotal.com reports no virus found on that 22-byte .ZIP
file a spammer sent me.

Probably a URL in a zipfile or some silly thing.

 

[Uriel]

How many clicks away it is, is irrelevant.

Not to me. I might be tricked into opening a .ZIP file. But I can't imagine
then invoking a .MIM file within it. I don't even really know what .MIM is
(and don't want to).

Files with the extensions they mentioned - right.

I misspoke. Should have said: "That vulnerability only applies to .MIM and
other filetypes they list, and not to .ZIP, which they don't list."

I meant 'unexplained' because the new vulnerability's existence was
discovered and announced by WinZip - only the details were absent.

Wrong. Like I said before:

One of your posts asked for more information than just the mere existence
of the bug. More "explicit information" would only be available for the
older bugs, so I thought you might want to look at them.

Not true. I was only asking whether merely opening a .ZIP can execute
foreign code. I'm not interested in further detail.

"WinZip Computing, Inc. recommends that all WinZip users upgrade to the
latest version of WinZip, WinZip 9.0 SR-1, because it contains important
security-related fixes and enhancements."

The "important security-related fixes" part would be enough for me.

That doesn't warn about the vulnerability to .ZIP files. "Important
security-related fixes and enhancements" could mean any dumb thing -- like a
feature to link Norton virus scanning to Winzip so a scan happens when you
open a .ZIP file.

- "[winzip doesn't] want to tip their hand": Confusing. You're using the
wrong expression.

Referring to the game of "poker" - they don't want to give information to
their opponents (the malware writers).

We're talking about giving info to customers, not opponents.

Last I read, this vulnerability is still only a "crash the application"
exploit target, not a major problem.

Well, you're being inconsistent. Earlier you were saying .ZIP files pose the
same threat as .MIM files. So which is it?

[What you wrote in your post] says that to execute the foreign code I
have to (1) open a zip file, then (2) manually invoke the MIME file
within.

Yes, that would be a scenario for the older vulnerabilities. The point I
was trying to make was the danger of just opening the MIME filetypes with
WinZip is probably just the same as the danger of just opening the ZIP
file
with the new exploit code within. There was no good explanation of the
new
vulnerabilities (they don't want to tip their hand) but the new exploit
is
most likely the same with the unexplained one as it is with the explained
one and just as dangerous.

Roger, you have to write more clearly. It's really hard to make sense of
what you're saying.

Sorry

What do you mean by:


The point you made (Friday, November 25, 2005 10:56 AM) about the ZIP type
is that to execute foreign code you have do TWO steps (open file, invoke
contained file).

That is NOT "just the same" as the danger involving the MIME type. As it
says at http://www.winzip.com/fmwz90.htm , with the MIME type you just
need
to do a ONE-step process.

The danger is that due to the mishandling of some data filetypes associated
with WinZip, maliciously crafted data files become the
equivalent of executables. How many clicks away it is, is irrelevant.

Usres will even jump through hoops to execute malware.

But now you're saying there's also a ONE-step danger with the ZIP type:

There is a one step danger with all of the types mentioned - you're just not
as likely to see some of them.

This is extremely confusing. I think you mean:

- The "explained" vulnerability is the one they've acknowledged at
http://www.winzip.com/fmwz90.htm ; that's also what you think of as the
"old" vulnerability. That vulnerability only applies to .MIM files.

Files with the extensions they mentioned - right.

- Old versions of Winzip are also vulnerable to .ZIP files. That's what
you
think of as the "new" vulnerability. But that vulnerability is not
acknowledged anywhere at winzip.com.

I didn't look, but you say it at least isn't prominent on the homepage - and
even that is not a good thing. They should make every
effort to inform their customers of the existence of this problem. Only
critical details should be withheld.

That's why you call it "unexplained."
But "unexplained" is the wrong term. No one expects an "explanation." But
obviously they should tell customers what actions are dangerous (as they
did
with .MIM).

I meant 'unexplained' because the new vulnerability's existence was
discovered and announced by WinZip - only the details were
absent. One of your posts asked for more information than just the mere
existence of the bug. More "explicit information" would only
be available for the older bugs, so I thought you might want to look at
them.

"WinZip Computing, Inc. recommends that all WinZip users upgrade to the
latest version of WinZip, WinZip 9.0 SR-1, because it contains important
security-related fixes and enhancements."

The "important security-related fixes" part would be enough for me.

- "[winzip doesn't] want to tip their hand": Confusing. You're using the
wrong expression.

Referring to the game of "poker" - they don't want to give information to
their opponents (the malware writers).

What do you mean? Why shouldn't they warn about the .ZIP
vulnerability, as they did about the .MIM one?

They did didn't they? They both discovered and announced it. They recommend
upgrading to sp1.

Last I read, this vulnerability is still only a "crash the application"
exploit target, not a major problem.

FYI, http://www.virustotal.com reports no virus found on that 22-byte .ZIP
file a spammer sent me.

Probably a URL in a zipfile or some silly thing.