Menu
Dangerous 7-Zip flaws put many other software products at risk

Dangerous 7-Zip flaws put many other software products at risk

The flaws could allow arbitrary code execution when the 7-Zip library processes specially crafted files

Two vulnerabilities recently patched in 7-Zip could put at risk of compromise many software products and devices that bundle the open-source file archiving library.

The flaws, an out-of-bounds read vulnerability and a heap overflow, were discovered by researchers from Cisco's Talos security team. They were fixed in 7-Zip 16.00, released Tuesday.

The 7-Zip software can pack and unpack files using a large number of archive formats, including its own 7z format, which is more efficient than ZIP. Its versatility and open-source nature make it an attractive library to include in other software projects that need to process and deal with archived files.

Previous research has shown that most developers do a poor job of keeping track of vulnerabilities in the third-party code they use and that they rarely update the libraries included in their projects.

"7-Zip is supported on all major platforms, and is one of the most popular archive utilities in-use today," the Cisco Talos researchers said in a blog post. "Users may be surprised to discover just how many products and appliances are affected."

A search on Google reveals that 7-Zip is used in many software projects, including in security devices and antivirus products. Many custom enterprise applications also likely use it.

The out-of-bounds read vulnerability, tracked as CVE-2016-2335, stems from 7-Zip's handling of Universal Disk Format (UDF) files, while the heap overflow condition, CVE-2016-2334, can occur when handling zlib compressed files.

To exploit the flaws, attackers can craft specially crafted files in those formats and deliver them in a way that would cause the vulnerable 7-Zip code to process them.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags malwarezip

Featured

Slideshows

EDGE 2018: Kiwis kick back with Super Rugby before NZ session

EDGE 2018: Kiwis kick back with Super Rugby before NZ session

New Zealanders kick-started EDGE 2018 with a bout of Super Rugby before a dedicated New Zealand session, in front of more than 50 partners, vendors and distributors on Hamilton Island.‚Äč

EDGE 2018: Kiwis kick back with Super Rugby before NZ session
EDGE 2018: Kiwis assess key customer priorities through NZ research

EDGE 2018: Kiwis assess key customer priorities through NZ research

EDGE 2018 kicked off with a dedicated New Zealand track, highlighting the key customer priorities across the local market, in association with Dell EMC. Delivered through EDGE Research - leveraging Kiwi data through Tech Research Asia - more than 50 partners, vendors and distributors combined during an interactive session to assess the changing spending patterns of the end-user and the subsequent impact to the channel.

EDGE 2018: Kiwis assess key customer priorities through NZ research
Show Comments