[SecurityRatty] tag: winzip

Gdiplus.dll Vulnerability In WinZip Fixed In Version 11.2 SR-1

Tue, 30 Sep 2008 19:09:57 +0000

WinZip Computing released WinZip 11.2 SR-1 on September 25 with a critical update to all installations of WinZip 11. The release addresses a security vulnerability that exists in one of the modules shipped with WinZip 11. This component is not a WinZip module but rather a Microsoft module that WinZip Computing shipped for the convenience [...]

DIY Exploit Embedding Tool - A Proprietary Release

Mon, 28 Apr 2008 00:45:00 +0000

Rember the reprospective on DIY exploit embedding tools, those cybercrime 1.0 point'n'click exploits serving generators? Despite that the cybercrime 2.0 has to do with malicious economies of scale, that is the use of web malware exploitation kits compared to their 1.0 alternative, the DIY tools, such tools continue to be developed, like this proprietary one including sixteen exploits for the buyer to take advantage of, if she's willing to invest £100 (GBP) of course. Exploits listed :

- D-Link MPEG4 VAPGDecoder ActiveX
- Macrovision Installshield ActiveX
- MySpace Uploader ActiveX
- Symantec BackupExec ActiveX
- Yahoo! JukeBox ActiveX
- Microsoft Works ActiveX (0day)
- Microsoft Internet Explorer MS06-014 (MDAC)
- Microsoft Internet Explorer MS07-009
- Facebook Uploader ActiveX
- Microsoft DirectSpeechSynthesis ActiveX
- Realplayer ActiveX
- WinZip FileView ActiveX
- Yahoo Messenger Webcam ActiveX
- Microsoft Internet Explorer MS06-013
- Microsoft Internet Explorer MS07-004
- Microsoft Internet Explorer MS07-055

With the now commodity web malware exploitation kits and their modularity streamlining "innovation" in the field, such DIY tools are only a fad compared to malicious parties' interest in exploiting as many people as possible, without putting extra efforts in the process (malicious economies of scale). And with the overall proliferation of client-side vulnerabilities, and the surprisingly high success rate of exploiting outdated and already patched vulnerabilities on a large scale (Stormy Wormy), ensuring your client-side applications are vulnerable to zero days only is highly recommended.

Martin Hellman on the Invention of Public-Key Cryptography

Tue, 25 Mar 2008 10:21:04 +0000

At the DISI conference last December, Martin Hellman gave a lecure on the invention of public-key cryptography. A video is online (it's hard to find, search for his name), along with PowerPoint slides.

(Unfortunately, the video isn't set up for streaming; in order to view the it, you'll have to download the ten files, then use a fairly recent version of WinZip to concatenate the files.)