WinZip blasts hole in Windows 2000 security

WinZip has admitted to a security problem relating to Windows 2000 and its WinZip file compression program. WinZip versions 11.0, 11.1 and 11.2 apparently contain a vulnerable version of Microsoft's gdiplus.dll graphics library. The bug can result in infection when users view crafted images. When installing the affected versions, WinZip places the gdiplus.dll file in the WinZip program folder.

Although the vulnerable file is always installed in the WinZip program folder regardless of the operating system, it is only under Windows 2000 that the program uses it to preview archived images. According to the vendor, WinZip versions prior to 11.0 do not contain the vulnerable library. It is not entirely clear which vulnerability the vendor is referring to. Microsoft most recently corrected a bug in the library at the last September patch day.

Service releases WinZip 11.2 SR-1 and WinZip 12 fix the bug and, where installed under Windows 2000, replace the vulnerable version of gdiplus with an updated, bug-fixed version. Under Windows XP and Vista, the file is simply deleted as surplus to requirements. Alternatively, XP and Vista users can delete it manually.

The problem of differing DLL versions under Windows – nicknamed "DLL hell" – was previously responsible for thwarting the reliable plugging of security holes in late 2004. In that case it was once again gdiplus.dll which was affected, due to its being included with many different programs and saved in many different locations on the system.

(jbe)