Aladdin Responds to StuffIt Security Issue

Aladdin Systems has provided MacFixIt with detailed information regarding the previously reported security hole that can cause buffer overrun in versions of StuffIt Expander earlier than 6.5.1:

"Essentially the issue is that someone could theoretically craft a .zip archive which contained an illegally long file name. When affected utilities attempt to expand this archive a buffer overrun could potentially allow arbitrary code to be executed. Such an archive would basically be a 'trojan horse.'

"To date there have been no such archives detected (or created by ourselves, Apple, or CERT) and there are be significant technical barriers to doing so. Even then such an archive would have to be crafted to individually exploit a particular decompression utility running on a specific OS. While we see this as a very small risk, we are concerned about creating the most secure software possible and recommend that users download and use the latest version of StuffIt Expander 7.0, which is not vulnerable, to reduce the potential risk even further."

The issue is further explained by CERT's vulnerability note.