![]() Both of these 7-Zip vulnerabilities resulted from flawed input validation. Noga and Schultz notes in their blog post, “Sadly, many security vulnerabilities arise from applications which fail to properly validate their input data. It can also be particularly worrisome as some programs and products come integrated with 7-Zip as library code and are set to automatically receive and decompress the files. The vulnerabilities are dangerous in that attackers can design 7-Zip archives for spear phishing campaigns, which can allow the 7-Zip file decompression process to execute malicious codes. Its touted versatility makes it a popular utility for software and custom enterprise applications that need to compress, convert or encrypt files. When exploited, it can result in erratic program behavior such as application and OS crashes, file corruption, memory access errors and even a system breach.ħ-Zip, an open source file archiving software, is supported by all major platforms and compression formats. ![]() ![]() Noga and Schultz also found a ‘heap overflow vulnerability’ in one of 7-Zip’s functionalities. The vulnerability can be triggered by entries containing a malformed ‘Long Allocation Descriptor,’ which can provide a way for attackers to execute arbitrary code. One of the major flaws discovered by the team includes an ‘out-of-bounds vulnerability’ which involves how 7-Zip processes Universal Disk Format Files (UDF), the file system widely used for DVDs (audio and video) and newer optical disc formats. “Anytime the vulnerable code is being run by any sort of privileged account, an attacker can exploit the vulnerability and execute code under those same permissions,” Schultz told The Register. Schultz explained the vulnerabilities could compromise systems by giving attackers the same access rights as logged-in users. Security researchers Marcin Noga and Jaeson Schultz revealed vulnerabilities in 7-Zip that can put software products and devices bundled with the popular file compression utility at risk.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |