Privacy and Legal Notice

CIAC INFORMATION BULLETIN

R-045: WinZip FileView ActiveX Control

November 16, 2006 18:00 GMT
PROBLEM: A vulnerability was reported in WinZip. A remote user can cause arbitrary code to be executed on the target user's system.
PLATFORM: 10.0 prior to 10.0 Build 7245
DAMAGE: A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a flaw in the FileView ActiveX control and execute arbitrary code on the target system. The code will run with the privileges of the target user.
SOLUTION: Apply current patches.
VULNERABILITY
ASSESSMENT:		 The risk is MEDIUM. A remote user can execute arbitrary code on the target user's system.
LINKS:  
  CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/r-045.shtml
  ORIGINAL BULLETIN: http://www.winzip.com/wz7245.htm
  ADDITIONAL LINKS: SecurityTracker Alert ID: 1017226
http://securitytracker.com/alerts/2006/Nov/1017226.html
  CVE: CVE-2006-5198 
[***** Start WinZip 10.0 Build 7245 *****]


See http://www.winzip.com/wz7245.htm for information regarding this vulnerability.


[***** End WinZip 10.0 Build 7245 *****]
CIAC wishes to acknowledge the contributions of Security Tracker for the information contained in this bulletin.
DOE-CIRC can be contacted at: 
    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/