You’re most likely familiar with 7-Zip, the open-source file archiving application that offers optional AES-256 encryption, support for large files, and the capacity to use all kinds of compression, conversion and encryption methods. The app is also suitable for Windows versions 10, 8, 7, XP, 2012, 2008, 2003, 2000, and NT.
[Learn More about Encryption by Ransomware]
This quite useful and favorite app has been found vulnerable by security researchers at Cisco Talos. In other words, multiple exploitable flaws have been located in 7-Zip, making both vendors and users prone to attacks.
The vulnerabilities are troublesome specifically to vendors since they most likely are not acquainted with the issues and may be still using the compromised libraries. The vulnerabilities are particularly threatening to security tools and antivirus software. Why is that? Because 7-Zip is used on multiple platforms, and generally is a leading archive utility on the current market.
The researcher who found and reported the vulnerabilities is Cisco’s Jaeson Schultz. According to The Register, the researcher has said that the flaws could allow malicious actors compromise updated systems, and permit them access rights as logged-in users. In other words, even if your Windows 10 is appropriately patched, you will still be vulnerable to exploits without the exact 7-Zip fixes.
But what are the flaws about?
CVE-2016-2335, The Out-Of-Bounds Read Vulnerability
First of all, what is an out-of-bounds read vulnerability? Also known as a buffer overflow exploit, this type of exploit is common in malicious attack scenarios. Buffer overflows can be initiated by inputs, designed to execute code, or change the way a program functions. Buffer overflows may lead to inconsistent program behavior and may cause memory access errors, incorrect results, crashes, or breaches of system security. That is why buffer overflows are applied in various software vulnerabilities and are often exploited in malicious operations.
In terms of 7-Zip’s vulnerability, this is what the Talos team has written in their report:
Central to 7-Zip’s processing of UDF files is the CInArchive::ReadFileItem method. Because volumes can have more than one partition map, their objects are kept in an object vector. To start looking for an item, this method tries to reference the proper object using the partition map’s object vector and the “PartitionRef” field from the Long Allocation Descriptor. Lack of checking whether the “PartitionRef” field is bigger than the available amount of partition map objects causes a read out-of-bounds and can lead, in some circumstances, to arbitrary code execution.
As explained by Schulz, whenever the vulnerable code is being run by a privileged account, a malicious actor can exploit the code and can execute code under those permissions. As pointed out by The Register, a large number of popular products are affected by the flaw, including FireEye and Malwarebytes. It should be noted that the issues are not due to issues in the products themselves.
In conclusion, vulnerabilities often emerge from apps falling short of validating their input data, as explained by Cisco Talos. The 7-Zip flaws were due to flawed input validation. Fortunately, Talos has collaborated with 7-Zip to help them patch the flaws. Lastly, to avoid attacks, users should immediately update 7-Zip to the latest revision – version 16.00.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter