Vulnerability in all winzip versions?:
Author: Pablo Sabbatella
Site: www.hackemate.com.ar
Date: 14-03-2002
I dont know if this a security bug, vulnerability
or whatever, but I found it was pretty dangerous. Lets
suppouse we want to secure the file secret.txt, so we
zip it with winzip and choose to protect it with a
password we only know. We save it and then one day we
decide to access it, so we open it, we enter the password,
it opens secret.txt, we close Winzip and we visualize the
file that we had protected before. After watching it, we
close it and get to another thing. Well, this proccess seems
quite common, but if you open a passworded file and you close
Winzip before closing the file, that file will be stored with
NO PASSWORD PROTECTION in C:\Windows\Temp or your predeterminated
Temp directory.
This only affects users who sahre the computer with others,
and paranoic :).
Possible fixes: - Donīt close winzip till you finish with the secured
file
- Empty Temp Directory after each session in Winzip
with passworded files
- Microsoft, could make a patch for those files to be
automaticaly deleted or not stored in Temp
directory.
Greetz to you all guys
Pablo Sabbatella
sabbatellaat_private
www.Hackemate.com.ar
ICQ: 126270302
This archive was generated by hypermail 2b30 : Sun Mar 17 2002 - 01:05:34 PST