Inviato April 16, 2010 It's quite some day since we posted news about ZipGenius. Many of you really believed that we sold our project to a Chinese startup software house, but it was quite clear that it was just an April Fool joke. Then I had to bring my mother to the hospital for a little disease and I had to go back and forth from the hospital for a week. Luckily, now everything is fine we could resume our work. Some week ago we were contacted by Peter Van Eeckhoutte (aka C0relan Security) in order to report a flaw that causes many zip utilities to crash and open a door to malicious code. The event is triggered by a specially crafted zip file which has a very very long filename stored in its central directory, and when I talk about a "very very long" filename, I mean a full path+filename info which is longer than the system MAX_PATH constant (255 characters). Many competitors didn't handle correctly this event and allowed the execution of a malicious code (in C0relan proof of concept, the code shows just a message). We tested ZipGenius latest build without checking the source code and found that... ZipGenius is SAFE! Our beloved software already handles this event since 2002: the problem popped out just some week after Windows XP release in 2001 and we put a code that checks filename length while reading the archive; if ZipGenius finds a very very long filename, it disables almost every feature and you can just close the archive and go on. Well, C0relan admits that ZipGenius main executable is safe but the problem still lives in a DLL that ships with ZipGenius: zgtips.dll. Peter is right and we worked together to fix the flaw, but this event mad a new problem to pop out... The zgtips.dll shell extension causes Windows Vista and 7 Explorer to crash. It's really a weird behaviour: we modified a lot of code in that dll and we also tried to rebuild it from the ground, but it still shows the "infotip" on ZIP archives and, after about a minute, Explorer crashes. On the contrary, in Windows XP this doesn't happen and the shell extension works as designed. This behavour is leading us to take an hard decision: in next ZipGenius build, zgtips.dll likely will be installed in Windows XP, 2000 and Server 2003/2008, while it won't in Windows Vista and 7. We are thinking that it is something related to the Aero interface of Vista/7 and we are still trying to uinderstand what is going on. This also leads us to reconsider the decision to build an InfoTip shell extension for x64 systems. We are ready to launch the premium support program: stay tuned! Condividi questo messaggio Link di questo messaggio Condividi su altri siti
