Hackers have found yet another possible inroad they can use to infect the machines of unsuspecting users.
This time, they’re infecting older versions of WinZip.
If there’s one utility that’s nearly as ubiquitous as Adobe’s Acrobat Reader, it would probably be WinZip.
In the 30+ years since its initial release, the handy tool has seen variants that are compatible with macOS, Android, iOS, all versions of Windows, and a few others. All told, it boasts more than a billion downloads, and that, of course, doesn’t count the legions of people who got a copy from a friend. In short, it’s a utility you can find on a majority of PCs and tablets running today. It’s everywhere, and that’s part of the problem.
The current version of WinZip is 25, but only a small minority of users are utilizing the latest build, and unfortunately, older versions check the server for updates via an un-encrypted connection, which is a weakness all too easy for hackers to exploit.
Basically, if a hacker inserts himself into the update process, he can execute any arbitrary code he wants, and the machine will assume it’s a WinZip update. Unfortunately, the only solution to the issue is to upgrade to WinZip 25, but where prior editions of the utility have been free, the latest WinZip update is paid. You’ll need to shell out just over $35 for the basic version or just under $60 for the “Pro” version and that’s pricey, especially when there are good free variants like 7Zip that can be found.
The bottom line though, is that if you’re using an older version of WinZip, you should be aware that every time the utility scans for an update, you open a door, even if only briefly, that may allow a watchful hacker access to devices on your network, and that’s a problem.