=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2008/VULN392
_____________________________________________________________________

DATE                      : 30/09/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Windows running WinZip 11.

======================================================================
http://update.winzip.com/wz112sr1.htm
______________________________________________________________________

WinZip 11.2 SR-1 (Build 8261)

Download WinZip 11.2 SR-1 (Build 8261) now

Q: What is WinZip 11.2 SR-1?

A: On September 25, 2008, WinZip® Computing released WinZip 11.2 SR-1, a
critical update to all installations of WinZip 11. WinZip 11.2 SR-1 is a
free upgrade for registered users of versions 11.0, 11.1 and 11.2.

This release addresses a security vulnerability that exists in one of
the modules shipped with WinZip 11. This component is not a WinZip
module but rather a Microsoft module that WinZip Computing shipped for
the convenience of our Windows 2000 customers.

Distribution files for WinZip versions 11.1 and 11.2 included an earlier
gdiplus.dll which was placed in the WinZip program folder for Windows
2000 systems only. Other operating systems are not affected by these
installations. Upgrading to WinZip 11.2 SR-1 or WinZip 12.0 on Windows
2000 systems will replace the earlier gdiplus.dll with a newer version
that is not subject to the security vulnerability.

Distribution files for WinZip version 11.0 included an earlier
gdiplus.dll which was placed in the WinZip program folder without regard
to operating system. Note, however, that the .DLL is only utilized by
WinZip on Windows 2000 systems. Versions of WinZip prior to 11.0 are not
affected by this security vulnerability. Upgrading to WinZip 11.2 SR-1
(Build 8261) or WinZip 12.0 will remove the earlier gdiplus.dll from the
WinZip program folder on Windows XP or Vista systems.

On Windows XP or Vista, you may simply delete the file from the WinZip
folder (if it exists).

WinZip's use of GDI+ technology is limited to viewing image files in Zip
archives when the view mode is set to an Explorer Style/Thumbnail view
or when using the internal image viewer (WinZip Pro feature).

Q: How do I get WinZip 11.2 SR-1?

A: You can simply download and install WinZip 11.2 SR-1 over your
existing WinZip 11 installation. In order to preserve your existing
WinZip registration information, please do NOT uninstall your current
WinZip 11 before installing this new version of WinZip 11.

Download WinZip 11.2 SR-1 now

Q: How do I know what version of WinZip I have installed?

A: You can see the version and build number on your screen in the area
indicated with the red oval.

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================