In association with heise online

15 November 2006, 13:53

Critical hole through WinZip ActiveX module

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Version 10 of the widely distributed Windows compression software WinZip anchors an ActiveX module in the system during installation. Unfortunately, that module contains a security hole. Simply visiting a specially prepared website is all that's needed to compromise the computer.

The WinZip ActiveX module WZFILEVIEW.FileViewCtrl.61, an in-house implementation of the functions of the FileView ActiveX module, allows attackers to plant bugs using rigged websites. During installation, the ActiveX control is marked as "safe for scripting," which instructs Internet Explorer to involve it as needed when requested by a website.

Only users of the WinZip 10 series are affected, as older versions do not contain the ActiveX module. The current version, WinZip 10.0 build 7245, closes the hole. Administrators also have the option of setting the kill bit for the ActiveX component; the CLSID is {A09AE68F-B14D-43ED-B713-BA413F03490}.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit