Winzip: Vulnerability allows malicious code to be injected
A vulnerability in Winzip allows attackers to inject arbitrary code with manipulated archives. An update corrects this.
(Image: Erstellt mit KI in Bing Designer durch heise online / dmk)
IT security researchers have discovered a security vulnerability in the Winzip packing program. It allows attackers to inject malicious code into victims with manipulated archives. When opening a malicious website or a carefully prepared archive with Winzip, attackers can execute arbitrary code from the network.
IT researchers from Trend Micro's Zero-Day Initiative (ZDI) have discovered the vulnerability and published a security bulletin about it. The problem exists when processing 7-Zip files (7z). "The problem results from a lack of verification of user-supplied data, which allows write access beyond the limits of an allocated memory area," explain the IT researchers.
Winzip: code smuggling possible
"Attackers can exploit the vulnerability to execute arbitrary code in the context of the current process", the ZDI team explains further (CVE-2025-1240, CVSS 7.8, risk"high"). The vulnerability was discovered last September. The security notification with a CVE entry was issued a few days ago.
Videos by heise
Winzip 29.0 no longer contains the vulnerability. However, the developers do not mention any security corrections in the release notes. However, they do mention updated RAR and 7-Zip libraries for version 29.
The updated packages are available for download on the Winzip download page. Anyone who has deactivated the software's update notifier or is not using it and is therefore still using an older version should update to the new version as soon as possible.
At the end of November, security vulnerabilities were discovered in 7-Zip, which also allowed attackers to infiltrate and execute malicious code from the network. However, this involved the processing of archives in the Zstandard format, which is mainly used under Linux.
(dmk)
