Jump to content
KJakker

7zip Security Vulnerability Update your 7zip.

Recommended Posts

Update your 7zip to later than version 24.07.

https://cybersecuritynews.com/7-zip-vulnerability-arbitrary-code/
 

Quote

Critical 7-Zip Vulnerability Let Attackers Execute Arbitrary Code

By
 Guru Baran
 -
 November 25, 2024
 
 

A severe security vulnerability has been discovered in 7-Zip, the popular file compression utility, allowing remote attackers to execute malicious code through specially crafted archives.

The vulnerability tracked as CVE-2024-11477 has received a high CVSS score of 7.8, indicating significant security risks for users of affected versions.

The flaw specifically exists within the Zstandard decompression implementation, where improper validation of user-supplied data can result in an integer underflow before writing to memory.

This vulnerability enables attackers to execute arbitrary code in the context of the current process when users interact with malicious archives.

According to Nicholas Zubrisky of Trend Micro Security Research, attackers can exploit this vulnerability by convincing users to open carefully prepared archives, which could be distributed through email attachments or shared files.

The Zstandard format, particularly prevalent in Linux environments, is commonly used in various file systems, including Btrfs, SquashFS, and OpenZFS.

The vulnerability poses significant risks as it allows attackers to:

  • Execute arbitrary code on affected systems
  • Gain the same access rights as logged-in users
  • Potentially achieve complete system compromise

Mitigation and Fixes

7-Zip has addressed this security issue in version 24.07. Since the software lacks an integrated update mechanism, users must manually download and install the latest version to protect their systems. IT administrators and software developers who implement 7-Zip in their products should immediately update their installations to the patched version.

The vulnerability was initially reported to 7-Zip in June 2024, with the coordinated public disclosure occurring on November 20, 2024. Security experts emphasize the importance of prompt patching, as the vulnerability requires minimal technical expertise to exploit, though no known malware is currently targeting this flaw.

This incident highlights the critical importance of input validation in application security, particularly when processing data from potentially untrusted sources. Organizations and individuals using 7-Zip or products that incorporate its functionality should prioritize updating to the latest version to maintain system security.

 

  • Like 1
  • Thanks 7

Share this post


Link to post
Share on other sites

Cool just updated it, thanks!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×

Important Information

By using this site, you agree to our Terms of Use, Privacy Policy, and We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue..