Security Adviser | Roger A. Grimes » Winzip 10.0 Patch released

November 14, 2006 | Comments: (0)

Winzip 10.0 Patch released

TAGS: None

Winzip has released a free patch to version 10.0 of their product for registered users.

I've been a registered user of Winzip for years. It's worth the money and provides many more features than the free versions of Winzip or Pkzip. (On a related note, I used to know Phil Katz, the creator of Pkzip (and what ultimately led to Winzip...but they are separate products now) back in the days before the Internet...the days of FIDONet and BBSs. Very interesting related story on employee intellectual rights I should share some day.

Back to the patch. I rec'd at the same time, an email alert from FRSIRT telling me about the exploit; and a second email from Winzip Computing alerting me, and offering the free patch. Kudos to Winzip for proactively contacting customers quickly. And Kudos to the Zero Day Initiative team for finding the hole and following responsible disclosure.

This is the way it's supposed to work.

One other kudo to the Winzip folks. When you install Winzip, it prompts the user to setup a regular autoupdate check schedule. You're allowed to disable it, but if you choose that option, it strongly cautions against it and explains the risk. Nice touch to a great product. Many other third party products just don't take the time for the small touches.

[Also, I want to thank Winzip for alerting me and allowing me to opt out of the Google toolbar install crap. I'd prefer that the defaults were not to install in the first place, and to ask the user to add those options; instead of default enables...but I won't ding you tonight because of all the other offsetting good security practices you displayed today.]

Posted by Roger Grimes on November 14, 2006 07:18 PM

RATE THIS ARTICLE: