Major Security Flaws Found in 7-Zip

Security researchers Marcin Noga and Jaeson Schultz revealed vulnerabilities in 7-Zip that can put software products and devices bundled with the popular file compression utility at risk.

Schultz explained the vulnerabilities could compromise systems by giving attackers the same access rights as logged-in users. “Anytime the vulnerable code is being run by any sort of privileged account, an attacker can exploit the vulnerability and execute code under those same permissions,” Schultz told The Register.

One of the major flaws discovered by the team includes an ‘out-of-bounds vulnerability’ which involves how 7-Zip processes Universal Disk Format Files (UDF), the file system widely used for DVDs (audio and video) and newer optical disc formats. The vulnerability can be triggered by entries containing a malformed ‘Long Allocation Descriptor,’ which can provide a way for attackers to execute arbitrary code.

Noga and Schultz also found a ‘heap overflow vulnerability’ in one of 7-Zip’s functionalities. When exploited, it can result in erratic program behavior such as application and OS crashes, file corruption, memory access errors and even a system breach.

[Related: ImageMagick Vulnerability Allows Users to Upload “Poisoned Selfies”]

7-Zip, an open source file archiving software, is supported by all major platforms and compression formats. Its touted versatility makes it a popular utility for software and custom enterprise applications that need to compress, convert or encrypt files.

The vulnerabilities are dangerous in that attackers can design 7-Zip archives for spear phishing campaigns, which can allow the 7-Zip file decompression process to execute malicious codes. It can also be particularly worrisome as some programs and products come integrated with 7-Zip as library code and are set to automatically receive and decompress the files.

Noga and Schultz notes in their blog post, “Sadly, many security vulnerabilities arise from applications which fail to properly validate their input data. Both of these 7-Zip vulnerabilities resulted from flawed input validation. Because data can come from a potentially untrusted source, data input validation is of critical importance to all applications’ security.”

[Read: Patching Vulnerabilities Before They can be Exploited]

The researchers also worked with 7-Zip’s developer Igor Pavlov, who said that the issues have been fixed. Users and software vendors that use the application are strongly urged to update their old, vulnerable versions of 7-Zip into the latest one (16.00).


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.