Researchers have discovered a critical security flaw in WinZip
24 that targets users with malware. WinZip trial popup
vulnerability allows hackers to perform arbitrary code execution
and DNS poisoning.
When WinZip displays prompt informing about the expiry of the free
trial and sends requests for checking updates, it communicates in
plaintext over HTTP instead of HTTPS; the vulnerability has been
reported to exist in the way WinZip communicated with its servers,
making it susceptible to exploits by a malicious actor who
delivered malware through the same. WinZip is free to download ZIP
tool program that is used to compress and decompress files easily.
It enables users to zip and unzip almost all file formats including
zip, tar, rar, and etc. However, the tool is available online free
for a trial period, and to continue availing its services fully,
users need to purchase a license for which the tool checks software
status for users over a period of time, repeatedly. Once it detects
the trial period being expired, the software displays a prompt
using the abovementioned way of communication: That is where the
bug was found.
It was in between that attackers could intercept the traffic
and intervene in the communicated text and adding an infected
WinZip version. Furthermore, the users' concerns are aggravated by
the fact that the update request also contains personal data of the
user such as 'registered username', 'registration code', and other
required information for the processing of the request. This
information could also be accessed by the attacker meddling with
the trial popup.
"WinZip 24 opens pop-up windows time to time when running in Trial
mode. Since the content of these popups is HTML with JavaScript
that is also retrieved via HTTP, it makes manipulation of that
content easy for a network adjacent attacker," as told by
Researchers from Trustwave.
"The application sends out potentially sensitive information
like the registered username, registration code and some other
information in query string as a part of the update request. Since
this is over an unencrypted channel this information is fully
visible to the attacker."
"This means anyone on the same network as user running a vulnerable version of WinZip can use techniques like DNS poisoning to trick the application to fetch “update” files from malicious web server instead of legitimate WinZip update host. As a result, unsuspecting user can launch arbitrary code as if it is a valid update," the researchers further added.
Read more https://www.ehackingnews.com/2020/12/hackers-dropping-malware-via-free.html
