https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2319
https://int21.de/cve/CVE-2014-2319-powerarchiver.html
http://www.powerarchiver.com/2014/03/12/powerarchiver-2013-14-02-05-released/
ftp://utopia.hacktic.nl/pub/crypto/cracking/pkzip.ps.gz
The compression tool PowerArchiver version 14.02.03 creates files with an insecure encryption method even if the user selects a (secure) AES encryption in the GUI.
If a user clicks on the "Encrypt Files" and selects "AES 256-bit" for encryption, the outcoming file will not be AES-encrypted. It will instead use the legacy PKZIP encryption, which uses a broken encryption algorithm.
Note that there are different ways in PowerArchiver to create an encrypted ZIP file, the issue only appears when using the "Encrypt Files"-Button.
The PKZIP encryption has been broken by Biham/Kocher in 1994.
The vendor ConeXware has released version 14.02.05 which fixes the issue. It also disables completely support for creating archives with the broken legacy ZIP encryption.
2014-03-10: Issue found, vendor contacted
2014-03-10: Vendor replies, confirms issue
2014-03-12: Vendor publishes fixed version
Vulnerability found by Hanno Böck.