This advisory speaks to a vulnerability that is very obscure and, in my opinion, would be tricky to pull off so that it would cause damage. Even if one was to receive a Zip archive that caused a buffer overflow, there would also have to be executable script, lying in wait, that would then take advantage of this vulnerability. A buffer overflow by itself is not something to be terribly worried about, the problem is that when it occurs it leaves a window of opportunity for someone to take advantage of. Somehow the script would have to be executed as soon as the file was expanded (not an easy trick).
So, if individuals on this list do trade zip files it is still unlikely that this will pose much of a problem. This is especially true if the zip archives are coming from a trusted source. One of the advantages of using the Mac operating system is that, generally, it does not go around executing invisible files unbeknownst to the user. Now if this vulnerability existed on the Windows platform, it would be a serious problem because Windows loves to execute little VB scripts without the user knowing about it. My original advice stands. It would be best to wait for a new version of Expander before updating. There are simply too many problems with the app in its current state. Although Apple has put up a bulletin on this vulnerability (it would be irresponsible not to), I don't see that is particularly dangerous. my .02 Jesse On Thursday, October 3, 2002, at 02:28 PM, Jerry Yeager wrote: > I am not so sure if this (not updating) is a good idea. Many of us > swap files with M$ using folks, so we need to be able to trust the > .zip file we are getting is a good one. Apple has also issued an > advisory about this vulnerability: > > Apple Security Advisory APPLE-SA-2002-10-02 Stuffit Expander ZIP > archives containing files with large filenames can cause a buffer > overflow when expanded. Versions 6.5.2 and earlier of the Stuffit > Expander utility contain this vulnerability. Affected systems: Systems > that contain Stuffit Expander version 6.5.2 or earlier > > Jerry -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/enriched Size: 2247 bytes Desc: not available Url : http://www.math.louisville.edu/pipermail/macgroup/attachments/20021003/ce59a2db/attachment.bin
