WinZip vulnerable to buffer overflow in handling of MIME archive parameters

ID VU:116182
Type cert
Reporter CERT
Modified 2004-03-01T15:50:00



A buffer overflow vulnerability in the WinZip program could allow a remote attacker to execute arbitrary code on a vulnerable system.


WinZip Computing, Inc.'s WinZip is a popular utility for creating and extracting a variety of archive file formats on Microsoft Windows-based systems. A buffer overflow error exists in the way that WinZip handles certain parameters of MIME archives.

This error results in a vulnerability when WinZip attempts to interpret invalid data in a MIME-encoded file.

An attacker could exploit this vulnerability by introducing a specially-crafted file to be opened by WinZip, and then coaxing or tricking a user or application into opening it. The malicious file could be introduced in a number of ways including, but not limited to, a remote web page, an email attachment, peer-to-peer file sharing, or network filesystems.


An attacker could execute arbitrary code of their choice on a vulnerable system.


Upgrade to the latest version of the software

WinZip Computing, Inc. has released an updated version of the WinZip software that includes a fix for this vulnerability. Users are strongly encouraged to upgrade to this version of the software. More details can be found in the Systems Affected section of this document.

Vendor Information


Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

WinZip __ Affected

Updated: February 27, 2004



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


WinZip Computing, Inc. has released version 9.0 of the WinZip software which includes a patch for this vulnerability. Users are strongly encouraged to upgrade to this version of the software. Information about upgrading can be found at the following location:


If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group | Score | Vector
Base | |
Temporal | |
Environmental | |



Thanks to iDefense Security Advisory for reporting this vulnerability.

This document was written by Chad R Dougherty based on information provided by iDefense and WinZip

Other Information

CVE IDs: | None
Severity Metric: | 7.70
Date Public: | 2004-02-27
Date First Published: | 2004-03-01
Date Last Updated: | 2004-03-01 15:50 UTC
Document Revision: | 13