StuffIt 6.5.x and Earlier Allows Buffer Overflow

A user writes in that Aladdin Systems has announced that StuffIt, versions 6.5.x and earlier for Mac OS and Mac OS X, "may contain a flaw that would cause expanding certain maliciously crafted .zip archives to execute unwanted instructions or code." Aladdin notes that no such "trojan horses" have been reported. StuffIt Expander 7.0 is, as with previous versions, free to download and use.

Is this really a problem?

[jpt.d]

My first experience with stuffit expander 7 was a very slow one compared to the previous version (that came with Jagwyre). So I downgrades first chance.

You shouldn't be using zip files on mac in general unless it is some sort of code or something. Malicious code would require a specific target platform of the mac to do anything substantial, and being that nobody in their right mind would create zip files for mac, i don't see much problem.

Just Use Info-zip For ".zip"s

[cmholm]

For those who don't want to upgrade to Stuffit Extractor 7.0 for whatever reason:

If you're using MacOS 9 or earlier, the potential for buffer overflows is meaningless. It wouldn't be the first time your system bailed, anyway.

For the OS X user, just adjust your browser to make Info-zip the zip file helper, and surf over to Info-zip's site to download the source or binary.

Non-registration download for Stuffit Expander

[foo12]

Going through Aladdin's web site requires you to fill out a short (marketing) form before downloading Expander. Fortunately, Aladdin also has anonymous ftp access

ftp://ftp.aladdinsys.com/

Re:Stuffit Exploits

[foyle]

A good alternative to StuffIt for decompressing various Unix archives on OS X is Scott Anguish's most excellent "OpenUp": http://softrak.stepwise.com/display?pkg=790&os =20

Stone Design's "PackUpAndGo" is also an excellent product: http://www.stone.com/PackUpAndGo/PackUpAndGo.html