Researchers reveal flaws in 7-Zip, users and security vendors affected

Cisco’s Talos researchers discovered two vulnerabilities in 7-Zip, the popular open-source file archiver known for having a high compression ratio and option to password protect compressed files.

Even if users hurry to download the newest 16.0 version of 7-Zip, in which the vulnerabilities are reportedly fixed, that doesn’t take care of many products that have used the old 7-Zip libraries and are still vulnerable. Unless vendors do some work, they are vulnerable and users of their products are as well.

Talos researchers Marcin Noga and Jaeson Schultz explained:

These type of vulnerabilities are especially concerning, since vendors may not be aware they are using the affected libraries. This can be of particular concern, for example, when it comes to security devices or antivirus products. 7-Zip is supported on all major platforms and is one of the most popular archive utilities in use today. Users may be surprised to discover just how many products and appliances are affected.

Leo Notenboom, who worked for Microsoft at one point, called ZIP files “the spammer’s—or rather the phisher’s—best friend.” Nevertheless, 7-Zip is pretty popular because it’s free when WinRAR is not; its libraries and components are used in other compression software as well as in antivirus and other types of software—even ransomware authors have used 7-Zip to encrypt files. A few examples of security products using 7-Zip include FireEye, Malwarebytes (pdf) and Comodo Cloud Antivirus (pdf). As the researchers pointed out, a quick search for software using the 7-Zip license reveals an alarming amount of software.

Talos researchers discovered an out-of-bounds read vulnerability “in the way 7-Zip handles Universal Disk Format (UDF) files” as well as an “exploitable heap overflow vulnerability.” The first, according to Bit-Tech, “can be exploited to execute arbitrary code,” while the second “can potentially crash other applications or the underlying operating system.”

Put another way by The Register: “The flaws could allow attackers to compromise updated machines, giving attackers the same access rights as logged-in users.”

“Anytime the vulnerable code is being run by any sort of privileged account, an attacker can exploit the vulnerability and execute code under those same permissions,” Schultz told The Register. “A fully patched Windows 10 box lacking the 7-Zip fixes would not help you.”

The Talos researchers concluded:

Sadly, many security vulnerabilities arise from applications that fail to properly validate their input data. Both of these 7-Zip vulnerabilities resulted from flawed input validation. Because data can come from a potentially untrusted source, data input validation is of critical importance to all applications’ security. Talos has worked with 7-Zip to responsibly disclose, and then patch these vulnerabilities. Users are urged to update their vulnerable versions of 7-Zip to the latest revision, version 16.00, as soon as possible.

7-Zip developer Igor Pavlov said the vulnerabilities have been fixed in the new version. If you use 7-Zip, then go grab version 16.0. If you have used 7-Zip libraries in products—be it for other compression software, antivirus, map tracking, lifecycle management or any other products, then please make changes. If you don’t know if you used 7-Zip libraries or components, then you better get busy finding out.