7-Zip is a popular open source file compression program that supports all major compression formats and support for a variety of other features.
Talos, a Cisco company, discovered a vulnerability in 7-Zip that allows attackers to run code on computer systems that has the same rights as the underlying process.
To be precise, the vulnerability was found in the code that handle Universal Disk Format (UDF) files in 7-Zip.
It is the default file system for DVD video and DVD audio, and used for other optical disc formats.. The vulnerability takes advantage of flawed input validation. If you are interested in details, follow the link to the Talos blog that reveals the two vulnerabilities found in the subsystem.
The security vulnerability has been fixed in 7-Zip 16.0 which has been released this month.
If you are using 7-Zip you should update the program immediately to protect the system from attacks targeting the vulnerability.
The main issue however is that third-party programs make use of 7-Zip's libraries as well. This includes many compression programs, security software from Malwarebytes, and other programs that offer or use compression functionality.
If those programs use pre-7-Zip 16.0 functions, then they are also vulnerable to the attack. This is of special importance when it comes to security software as it may run with elevated rights while other programs may not necessarily.
Since the code that the a successful exploit runs on the system uses the same rights as the host process, consequences can be more far reaching because of it.
What makes this particularly problematic is that there is no way of finding out whether a program that you are using is making use of 7-Zip functions or not. There is no master list of programs that use 7-Zip for compression functionality, and many developers and companies don't disclose if 7-Zip is being used.
One of the first programs to fix the issue is the popular file compression program PeaZip. It was just updated to fix the 7-Zip vulnerability. It is likely that other programs will be updated in the near future to use the new fixed functions that 7-Zip provides instead of the vulnerable ones.
Until that happens though, they and with them the underlying system remain vulnerable to the attack.
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.