7-Zip vulnerability affects security software

Martin Brinkmann
May 13, 2016
Security
|
22

7-Zip is a popular open source file compression program that supports all major compression formats and support for a variety of other features.

Talos, a Cisco company, discovered a vulnerability in 7-Zip that allows attackers to run code on computer systems that has the same rights as the underlying process.

To be precise, the vulnerability was found in the code that handle Universal Disk Format (UDF) files in 7-Zip.

It is the default file system for DVD video and DVD audio, and used for other optical disc formats.. The vulnerability takes advantage of flawed input validation. If you are interested in details, follow the link to the Talos blog that reveals the two vulnerabilities found in the subsystem.

The security vulnerability has been fixed in 7-Zip 16.0 which has been released this month.

The issue

7-zip 16,0

If you are using 7-Zip you should update the program immediately to protect the system from attacks targeting the vulnerability.

The main issue however is that third-party programs make use of 7-Zip's libraries as well. This includes many compression programs, security software from Malwarebytes, and other programs that offer or use compression functionality.

If those programs use pre-7-Zip 16.0 functions, then they are also vulnerable to the attack. This is of special importance when it comes to security software as it may run with elevated rights while other programs may not necessarily.

Since the code that the a successful exploit runs on the system uses the same rights as the host process, consequences can be more far reaching because of it.

What makes this particularly problematic is that there is no way of finding out whether a program that you are using is making use of 7-Zip functions or not. There is no master list of programs that use 7-Zip for compression functionality, and many developers and companies don't disclose if 7-Zip is being used.

One of the first programs to fix the issue is the popular file compression program PeaZip. It was just updated to fix the 7-Zip vulnerability. It is likely that other programs will be updated in the near future to use the new fixed functions that 7-Zip provides instead of the vulnerable ones.

Until that happens though, they and with them the underlying system remain vulnerable to the attack.

Summary
7-Zip vulnerability affects security software
Article Name
7-Zip vulnerability affects security software
Description
A recently disclosed and patched vulnerability in the file compression software 7-Zip affects other programs that use 7-Zip libraries.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Dan82 said on May 15, 2016 at 9:36 pm
    Reply

    The tricky thing with these two vulnerabilities is the fact, that 7-Zip or any application using their library, can trigger the bug even when the user is careful to avoid using any UDF/HFS files/images. As another commenter writes on the Cisco Talos blog post “These bugs will trigger with a malformed UDF/HFS file with a .zip extension unless the added command line argument is used”.

    Or in other words: the reasonable vulnerability vector is to mislabel a file and try to get the user to open/access it with an application that uses the 7-Zip library. I know its use is incredibly wide-spread and I assume that many of those haven’t been updated yet.

  2. A different Martin said on May 14, 2016 at 6:33 pm
    Reply

    This is a prime illustration of why I run SUMo at least once a day — more typically, once in the morning and once in the evening — and try to keep my system as up to date as possible. Thanks to this practice, I had updated 7-zip before the story broke.

    Is anyone still using Secunia PSI? It’s an update-checker that focuses exclusively on security (not functionality or bug-fix) updates. I stopped using it a while ago for a number of reasons (e.g., it was slow on my system, its auto-updating feature was problematic, Secunia got bought out by a company whose privacy policy seemed confusing). I’m curious to know whether anyone who uses it (either in background or on demand) has been getting timely warnings about programs with the 7-zip vulnerability.

  3. John Krazinski said on May 14, 2016 at 6:13 pm
    Reply

    Now, here is something that worths being updated (…not those windows updates)
    I’ve been using 7-zip for a long time and I updated to v16 a couple days ago, prior to reading this article.
    Since 7-zip alternatives uses 7-zip.dll they also got the vulnerability.
    I’ll stick with 7-zip until some command line compression tool as-powerful-as 7-zip comes up.
    The alternatives we have today have a fancy gui and little command line support.

  4. Pierre said on May 14, 2016 at 3:29 pm
    Reply

    Thks for the info
    It’s done

  5. jimmyjamesjimmy said on May 14, 2016 at 2:26 am
    Reply

    Thnx, updated :)

  6. trek100 said on May 14, 2016 at 1:10 am
    Reply

    Is 7-zip
    for Linux also vulnerable by this?

  7. Beagle42420 said on May 13, 2016 at 9:09 pm
    Reply

    Is Bandizip one of the 3rd party programs that uses the 7-Zip libraries?

    1. Ficho said on May 14, 2016 at 11:59 am
      Reply

      Yes. In my case – Bandizip and MBAM 1.75 .
      Later I’ll try to replace 7z.dll in MBAM Program Files folder with 7z.dll from 7-zip Portable 16.0 .

  8. Matthew Borcherding said on May 13, 2016 at 7:39 pm
    Reply

    Doing searches for *7z* on my system, I see:
    Malwarebytes (others have reported/noted this)
    Adobe Reader
    ComicRack
    CDisplayEX
    Andy (Android emulator)
    IZarc
    Autopatcher
    and a few more…

    This is going to be ugly. 7zip was the go-to-source for a free .ZIP/.7Z library for *LOTS* of programs.

    1. Seban said on May 15, 2016 at 5:23 pm
      Reply

      I found 7-Zip in
      Bandizip
      DropIt
      MBAM
      WinMerge

  9. ilev said on May 13, 2016 at 6:42 pm
    Reply
  10. Sophist said on May 13, 2016 at 2:21 pm
    Reply

    Thanks for the heads up Martin!

  11. Bjorn said on May 13, 2016 at 12:42 pm
    Reply

    This issue may turn out to be MASSIVE.

    There are thousands of applications used by hundreds of millions of people that use 7-Zip libraries.

    Getting all those applications updated will likely be a very slow process.

    Applications that are no longer under active development may be forever vulnerable.

    Hopefully the 7-Zip developers will release drop-in patched replacements for affected libraries. That way, at least savvy users can replace some of their vulnerable libraries.

    This will be a boon for blackhats and security agencies.

    1. Dave said on May 14, 2016 at 1:16 pm
      Reply

      They could release a tool that scans and updates anything on your system. But they won’t.

  12. Abyrvalg said on May 13, 2016 at 12:05 pm
    Reply

    So, it’s just the malwarebytes that uses affected libs or some other security software is doing the same?

    1. Corky said on May 13, 2016 at 6:42 pm
      Reply

      Malwarebytes isn’t the only one effected by this, far from it in fact.
      To name a few things that use the 7-zip libraries there’s FireEye, Comodo Cloud Antivirus, Nero software products, IBM Endpoint Manager, Gpg4win, Acronis, Nullsoft Scriptable Install System, Java, TeamViewer, Symantec, and the list goes on and on.

  13. Seban said on May 13, 2016 at 10:57 am
    Reply

    Does some software change the names of the used 7-Zip components? If not, why not just replace them?

    Search for 7z* (eg. via Everything), download 7-Zip installer, replace the found files with the ones from the installer.

    Or could this lead to problems?

    1. Martin Brinkmann said on May 13, 2016 at 11:07 am
      Reply

      I don’t know how the libraries get integrated so cannot say if this could work or not.

      1. Seban said on May 17, 2016 at 11:38 pm
        Reply

        Ok, so far WinMerge didn’t like that I replaced the 7z.dll

        Bandizip was fixed in the meantime btw.

      2. Seban said on May 15, 2016 at 5:22 pm
        Reply

        I replaced them, no crashes or abnormal behaviour so far. At least none noticed.

  14. Jojo said on May 13, 2016 at 8:41 am
    Reply

    Phew….
    I’ve fresh installed win 2 days ago
    and yesterday fresh installed 7z…
    I don’t always look for new versions, as my PC is old and sluggish, but in this [and few more] case[s] this time – i did :)
    got me worried for a sec :D
    Keep up the good info streaming M.B. =]

    1. Martin Brinkmann said on May 13, 2016 at 9:03 am
      Reply

      Trying my best ;)

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.