7-zip Researchers reveal flaws in 7-Zip, users and security vendors affected

[Reefa]

Quote

 

Cisco’s Talos researchers discovered two vulnerabilities in 7-Zip, the popular open-source file archiver known for having a high compression ratio and option to password protect compressed files.

 

Even if users hurry to download the newest 16.0 version of 7-Zip, in which the vulnerabilities are reportedly fixed, that doesn’t take care of many products that have used the old 7-Zip libraries and are still vulnerable. Unless vendors do some work, they are vulnerable and users of their products are as well.

 

Talos researchers Marcin Noga and Jaeson Schultz explained:

 

Quote

These type of vulnerabilities are especially concerning, since vendors may not be aware they are using the affected libraries. This can be of particular concern, for example, when it comes to security devices or antivirus products. 7-Zip is supported on all major platforms and is one of the most popular archive utilities in use today. Users may be surprised to discover just how many products and appliances are affected.

 

Leo Notenboom, who worked for Microsoft at one point, called ZIP files “the spammer’s—or rather the phisher’s—best friend.” Nevertheless, 7-Zip is pretty popular because it’s free when WinRAR is not; its libraries and components are used in other compression software as well as in antivirus and other types of software—even ransomware authors have used 7-Zip to encrypt files. A few examples of security products using 7-Zip include FireEye, Malwarebytes (pdf) and Comodo Cloud Antivirus (pdf). As the researchers pointed out, a quick search for software using the 7-Zip license reveals an alarming amount of software.

 

Talos researchers discovered an out-of-bounds read vulnerability “in the way 7-Zip handles Universal Disk Format (UDF) files” as well as an “exploitable heap overflow vulnerability.” The first, according to Bit-Tech, “can be exploited to execute arbitrary code,” while the second “can potentially crash other applications or the underlying operating system.”

 

Put another way by The Register: “The flaws could allow attackers to compromise updated machines, giving attackers the same access rights as logged-in users.”

 

“Anytime the vulnerable code is being run by any sort of privileged account, an attacker can exploit the vulnerability and execute code under those same permissions,” Schultz told The Register. “A fully patched Windows 10 box lacking the 7-Zip fixes would not help you.”

 

The Talos researchers concluded:

 

Quote

Sadly, many security vulnerabilities arise from applications that fail to properly validate their input data. Both of these 7-Zip vulnerabilities resulted from flawed input validation. Because data can come from a potentially untrusted source, data input validation is of critical importance to all applications’ security. Talos has worked with 7-Zip to responsibly disclose, and then patch these vulnerabilities. Users are urged to update their vulnerable versions of 7-Zip to the latest revision, version 16.00, as soon as possible.

 

7-Zip developer Igor Pavlov said the vulnerabilities have been fixed in the new version. If you use 7-Zip, then go grab version 16.0. If you have used 7-Zip libraries in products—be it for other compression software, antivirus, map tracking, lifecycle management or any other products, then please make changes. If you don’t know if you used 7-Zip libraries or components, then you better get busy finding out.

 

source

 

 

[oliverjia]

Thanks for the heads-up. Just updated to the latest 7-zip on all of my computers.

[straycat19]

4 hours ago, oliverjia said:

Thanks for the heads-up. Just updated to the latest 7-zip on all of my computers.

 

That's good but you missed the sentence above that tells you that you still are not safe.

 

Quote

Even if users hurry to download the newest 16.0 version of 7-Zip, in which the vulnerabilities are reportedly fixed, that doesn’t take care of many products that have used the old 7-Zip libraries and are still vulnerable.

 

What we need to be able to do is find and update those library files that are in other software installs so that they will use the fixed library files.  That is probably possible, but it would take some time to identify and replace them.

[Pequi]

This vulnerability only affects trojanized ISOs built with the UDF filesystem, so unless you are in the habit of downloading said ISOs, you are probably safe.

I just replaced 7-Zip in 6 apps on my PC that use 7z.exe and 7z.dll with the 16.00 version, but I have no idea how many might have the old code compiled into the executables and libraries.

Also, found no info at all if other popular decompressors might handle UDF ISOs the same way as 7-Zip (Winrar, Winzip and etc).