iDEFENSE Security Advisory 02.27.04a: WinZip MIME Parsing Buf fer Overflow Vulnerability

From: Albers, Lucas (luke_at_COE.MONTANA.EDU)
Date: 03/01/04

Next message: Jouko Pynnonen: "Outlook mailto: URL argument injection vulnerability"

Previous message: Russ: "Alert: Microsoft Security Bulletin MS04-010 - Vulnerability in MSN Messenger Could Allow Information Disclosure (838512)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Mon, 1 Mar 2004 15:44:10 -0700
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

There is a buffer overrun that affects winzip 6.2 through 9.0beta.
This is exploitable via a carefully crafted file type
(see file types below.)
Vulnerability information:
http://www.idefense.com/application/poi/display?id=76&type=vulnerabiliti&fla
shstatus=true

We are contemplating how to protect against this.
1.) Upgrade all users to Winzip 9.0.
2.) Remove attachment association from the following extensions, via mass
registry hack.

Which according to the winzip site,
http://www.winzip.com/fmwz90.htm

are these filetypes:
.B64, .BHX, .HQX, .MIM, .UUE, .UU, and .XXE filetypes,

3.) Block these additional attachment types at the server.

4.) Wait for virus updates from our vendor after the fact.
This just screams for a virus.

I think the easiest course of action would be to:

Block these file types at the mail server via extension blocking:

".B64, .BHX, .HQX, .MIM, .UUE, .UU, and .XXE filetypes,"

These file types except for HQX are not normally sent.

> WinZip MIME Parsing Buffer Overflow Vulnerability
>
> iDEFENSE Security Advisory 02.27.04a:
>
http://www.idefense.com/application/poi/display?id=76&type=vulnerabiliti&fla
shstatus=true
> February 27, 2004
>

-----
NTBugtraq Editor's Note:

Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
-----

Next message: Jouko Pynnonen: "Outlook mailto: URL argument injection vulnerability"

Previous message: Russ: "Alert: Microsoft Security Bulletin MS04-010 - Vulnerability in MSN Messenger Could Allow Information Disclosure (838512)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: HELP! Problems with Downloading
... you haven't answered my first question. ... If you have Winzip, then you will be able to tell Winzip files. ... in File Types, ... >most of my files are "Confirm open after download". ...
(microsoft.public.windowsxp.help_and_support)
Re: How can I send/receive...
... It's becoming increasingly common for people to ... block potentially dangerous file types at the firewall or mail server, ... your chances of receceiving these file types are improved if people learn to ...
(microsoft.public.security)