7-Zip flaw enables code smuggling with manipulated archives
Attackers can use manipulated archives to try to inject malicious code into 7-Zip users. An update is available.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
The 7-Zip compression tool contains a security vulnerability that allows attackers from the network to infiltrate and execute malicious code with manipulated archives. A software update is available. 7-Zip users must take action and download and install it themselves.
The security bulletin from Trend Micro's Zero-Day Initiative discusses the vulnerability. According to this, an integer underflow can occur when decompressing a Zstandard compressed file before the code writes to memory. The error is based on inadequate checking of user-supplied data and can be misused to smuggle in and launch malicious code (CVE-2024-11477, CVSS 7.8, risk"high").
Code smuggling from the network
If attackers convince 7-Zip users to open carefully prepared archives from the network –, for example in the form of an email attachment or a shared file –, they can plant malware on them. The Zstandard format is used more frequently, especially under Linux, and is available as an option for Btrfs, SquashFS or OpenZFS. It is said to provide similar compression to Deflate (e.g. via zlib or for HTTP compression), but is faster, especially when it comes to decompression.
Videos by heise
IT researchers at the ZDI discovered the vulnerability in June and reported it to 7-Zip. With version 24.07, the developers have patched the security leak. Version 24.08 is currently available for download on the 7-Zip website.
As 7-Zip does not have an integrated update mechanism, users of the software must take action themselves and download and install the new version. If you do not need any special features of the 7-Zip software, you can also uninstall it. Windows File Explorer is now able to create and unzip 7-Zip files by default.
(dmk)
