Google discovered critical vulnerability in UnZip

A researcher of the Google Security Team has a critical vulnerability in UnZip discovered, an open source tool to tackle them from files. Due to an error in the cyclic redundancy check (CRC), it is possible to cause a buffer overflow that may allow an attacker to run arbitrary code on the computer. CRC is correct a check for detecting errors.

To carry out the attack, an attacker the victim or a specially prepared zip file via the command unzip -t leave open. Google adheres next to the search for vulnerabilities in their own software too busy checking open source software. The leak was reported on December 3 by researcher Michele Spagnuolo.

On the same day, there appeared the UnZip administrator update, followed by a second update later that day. A week later warned were all affected suppliers using UnZip, after yesterday's advisory appeared online. The leak is present in UnZip 6.0 ​​and older. The last update of the program dates from April 2009.