The compression tool PowerArchiver version 14.02.03 creates files with an insecure encryption method even if the user selects a (secure) AES encryption in the GUI.
If a user clicks on the "Encrypt Files" and selects "AES 256-bit" for encryption, the outcoming file will not be AES-encrypted. It will instead use the legacy PKZIP encryption, which uses a broken encryption algorithm.
Note that there are different ways in PowerArchiver to create an encrypted ZIP file, the issue only appears when using the "Encrypt Files"-Button.
The PKZIP encryption has been broken by Biham/Kocher in 1994.
The vendor ConeXware has released version 14.02.05 which fixes the issue. It also disables completely support for creating archives with the broken legacy ZIP encryption.
2014-03-10: Issue found, vendor contacted
2014-03-10: Vendor replies, confirms issue
2014-03-12: Vendor publishes fixed version
Vulnerability found by Hanno Böck.