Server-client communication on certain versions of the WinZip file compression tool is unsafe and could be modified to deliver malicious content to users.
WinZip is a long-term utility for Windows users with file archiving needs in addition to the support built into the operating system.
The tool, which was originally released about 30 years ago, now has versions for MacOS, Android and iOS, as well as a corporate version that adds collaboration features. According to its website, the application has more than one billion downloads.
Martin Rakhmanov of Trustwave SpiderLabs detected traffic from a vulnerable version of the tool to show this unencrypted Communication.
Given the precarious nature of the communication channel, Rakhmanov says traffic can be "stolen, manipulated or hijacked" by an intruder on the same network with the WinZip user.
One risk arising from this action is DNS poisoning, which misleads the application into retrieving a fake update from a malicious web server.
"As a result, the unsuspecting user can start arbitrary code "It's like a valid update," Rakhmanov said in a post today.
In vulnerable versions of WinZip, an attacker could gain some potentially sensitive information, such as Username and the registration code.
Rakhmanov says that communication with cleartext It is also used to display pop-ups informing users who are running the free trial version of WinZip how much time they have left for testing.
In version 25 of WinZip, no communication with cleartext. Recommended to users to upgrade to the latest version of the application.
However, many users cannot download the current version because upgrades are payable. The standard WinZip costs $ 35,64 and the Pro version $ 59,44.
If software upgrades are not an option, users are advised to disable them information checks.