The 7-Zip project released version 16.0 of their extremely popular open-source (de)compression software, which contains critical security fixes for two issues discovered by Cisco's Talos team.
The issues are a heap overflow vulnerability (CVE-2016-2334) and an out-of-bounds read vulnerability (CVE-2016-2335). The most dangerous of these two is the latter, which Cisco says it can allow attackers to execute code on the user's machine and take over his device.
According to Cisco, the problem lies in how the 7-Zip client handles UDF files. The UDF (Universal Disk Format) file format is the official file system for DVD-Video and DVD-Audio.
The exploitation scenario is also very trivial, requiring an attacker to create a booby-trapped 7-Zip archive that contains a malicious file.
The only condition is that the user must unzip the file with a vulnerable 7-Zip version, which at this point is all of them except 16.0, the latest one.
Users may be vulnerable through third-party apps
"These type of vulnerabilities are especially concerning since vendors may not be aware they are using the affected libraries," Cisco
wrote yesterday. "This can be of particular concern, for example, when it comes to security devices or antivirus products. 7-Zip is supported on all major platforms, and is one of the most popular archive utilities in-use today."
Among the products in which 7-Zip, or some of its libraries, are implemented are many antivirus applications and even some Linux distributions, where the 7-Zip command-line utility is included as a standard package.
Antivirus packages use 7-Zip to automatically unzip files in order to analyze and scan their content. Since antivirus software is also configured to scan each new file written to disk, an attacker only has to land a malicious archive on a target's device. This means that even if users update their local 7-Zip package, they may still be vulnerable.
