This post is also available in:
עברית (Hebrew)
A high-severity vulnerability has been discovered in the popular file compression program 7-Zip, potentially allowing attackers to execute code on affected machines. Disclosed by Trend Micro’s Zero Day Initiative (ZDI), the flaw has a severity score of 7.8 out of 10 and affects all 7-Zip versions prior to 24.07.
The vulnerability stems from a flaw in the Zstandard decompression feature, which fails to properly validate user-supplied data. This leads to an integer underflow issue before memory is written, creating an opportunity for malicious actors to exploit the bug and run arbitrary code within the context of the current process. This could allow attackers to execute harmful commands on the victim’s system, potentially compromising the machine.
The risk is significant due to the ease with which attackers can exploit the flaw. While the vulnerability requires user interaction, typically through opening a compromised archive file, it remains a serious concern, especially for users who have not yet updated to the latest version of 7-Zip.
The flaw was first reported by Trend Micro researchers on June 12th, 2024, and patched in the 7-Zip 24.08 update. However, the application lacks an automatic update feature, meaning users must manually install the update. This leaves many systems vulnerable, as older versions of 7-Zip may still be in use across a wide range of devices.
The 7-Zip software, commonly used for file compression and extraction, is widely trusted in both personal and enterprise environments. However, this vulnerability highlights the importance of regularly updating software to mitigate security risks. Users are urged to upgrade to 7-Zip version 24.08 or later as soon as possible to protect against potential exploits.
As with any security vulnerability, caution should be exercised when handling unknown or suspicious files, particularly those received via email or from untrusted sources.
