[BreachExchange] Hackers can use WinZip insecure server connection to drop malware

[Destry Winant]

https://www.bleepingcomputer.com/news/security/hackers-can-use-winzip-insecure-server-connection-to-drop-malware/

The server-client communication in certain versions of the WinZip file
compression tool is insecure and could be modified to serve malware or
fraudulent content to users.

WinZip has been a long-standing utility for Windows users with file
archiving needs beyond the support built in the operating system.

Initially released almost 30 years ago, the tool now has versions for
macOS, Android, and iOS, as well as an enterprise edition that adds
collaboration features. According to its website, the application has
more than one billion downloads.

Clear-text traffic

WinZip is currently at version 25 but earlier releases check the
server for updates over an unencrypted connection, a weakness that
could be exploited by a malicious actor.

Martin Rakhmanov of Trustwave SpiderLabs captured the traffic from a
vulnerable version of the tool to show that unencrypted communication.

Given the insecure nature of the communication channel, Rakhmanov says
that the traffic can be “grabbed, manipulated, or hijacked” by an
attacker on the same network as the WinZip user.

One risk stemming from this action is DNS poisoning, which tricks the
application into retrieving a fake update from a malicious web server.

“As a result, unsuspecting user can launch arbitrary code as if it is
a valid update,” Rakhmanov notes in a blog post today.

On registered versions of WinZip that are vulnerable, the attacker
could also obtain potentially sensitive information such as the
username and the registration code.

Rakhmanov says that cleartext communication is also used for showing
pop-ups informing users with a free trial version of WinZip how much
time they have left for testing.

The content in the popup is HTML that retrieves JavaScript. This
allows an attacker on the network to expose users to arbitrary content
that appears to come directly from WinZip servers.

The researcher says that this scenario also comes with the risk of
executing arbitrary code on the victim’s machine because WinZip offers
some “powerful” APIs to the JavaScript.

With the release of WinZip 25, cleartext communication no longer
occurs. Users are advised to upgrade to the latest version of the
application.

Many users may not jump at getting the current release, though,
because upgrades are paid. The standard WinZip costs $35.64 and the
Pro edition is $59.44.

If upgrading the software is not an option, users are advised to
disable update checks. This will stop the client from querying the
WinZip server for the availability of a new version.