A severe security vulnerability has been discovered in 7-Zip, the popular file compression utility,
allowing remote attackers to execute malicious code through specially crafted archives.
The vulnerability tracked as CVE-2024-11477 has received a high CVSS score of 7.8, indicating significant security risks for users of affected versions.
The flaw specifically exists within the Zstandard decompression implementation, where improper validation of user-supplied data can result in an integer underflow before writing to memory.
This vulnerability enables attackers to execute arbitrary code in the context of the current process when users interact with malicious archives.
According to Nicholas Zubrisky of Trend Micro Security Research, attackers can exploit this vulnerability by convincing users to open carefully prepared archives, which could be distributed through email attachments or shared files.
The Zstandard format, particularly prevalent in Linux environments, is commonly used in various file systems, including Btrfs, SquashFS, and OpenZFS.
The vulnerability poses significant risks as it allows attackers to:
- Execute arbitrary code on affected systems
- Gain the same access rights as logged-in users
- Potentially achieve complete system compromise
Mitigation and Fixes
7-Zip has addressed this security issue in version 24.07. Since the software lacks
an integrated update mechanism, users must manually download and install the
latest version to protect their systems. IT administrators and software developers
who implement 7-Zip in their products should immediately update their installations to the patched version.
The vulnerability was initially reported to 7-Zip in June 2024, with the coordinated
public disclosure occurring on November 20, 2024. Security experts emphasize
the importance of prompt patching, as the vulnerability requires minimal technical
expertise to exploit, though no known malware is currently targeting this flaw.
This incident highlights the critical importance of input validation in application security,
particularly when processing data from potentially untrusted sources.
Organizations and individuals using 7-Zip or products that incorporate its functionality
should prioritize updating to the latest version to maintain system security.
Source :
https://cybersecuritynews.com/7-zip-vulnerability-arbitrary-code/
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.