Heads up, WinZip users. Make sure to update to the latest WinZip version as it includes the patch for a serious security flaw. Exploiting this vulnerability affecting the WinZip Trial popup could allow an adversary to target the users with malware.
WinZip Trial Popup Vulnerability
Researchers from Trustwave have reported a serious security vulnerability affecting the WinZip Trial popup.
As elaborated in a blog post, the vulnerability existed because of the way WinZip communicated with its servers.
WinZip is a free-to-download software for trial users only. After the trial period expires, it requires the user to buy a license to continue using the tool to its fullest. For this, it periodically checks the users’ software status and displays prompts upon detecting trial expiration.
That’s where the bug existed.
The researchers found that WinZip communicates this information over the unsecured HTTP connection. Thus, it became possible for an adversary to intercept the traffic, meddle with the Trial popup, and include a malicious WinZip version in between. Eventually, the user would never know when a malicious WinZip version would get installed on the device.
As described by the researchers,
WinZip 24 opens pop-up windows time to time when running in Trial mode. Since the content of these popups is HTML with JavaScript that is also retrieved via HTTP, it makes manipulation of that content easy for a network adjacent attacker.
Exploiting the same vulnerability would also allow the adversary to log steal sensitive data from the traffic.
The application sends out potentially sensitive information like the registered username, registration code and some other information in query string as a part of the update request. Since this is over an unencrypted channel this information is fully visible to the attacker.
Patch Available With WinZip 25 And Above
According to Trustwave, the vulnerability affected all WinZip versions until WinZip 24. It means a large number of users would potentially be running the vulnerable version on their devices.
Upon detecting this problem, Trustwave responsibly disclosed the vulnerability to the developers who then patched the flaw with the release of WinZip 25. With this version, the vendors have applied the secure HTTPS to communicate data.
So, users can simply upgrade their systems to WinZip 25. However, those who can’t install an update can mitigate the issue by turning off the automatic check for updates option.
Alternatively, users of old WinZip versions can also uninstall the software from their devices, and reinstall the latest WinZip 25 from their website.
Let us know your thoughts in the comments.