ARCHIVING MANAGER 7-Zip has some significant security holes that have forced many major manufacturers to patch their own products to compensate.
Cisco reported in a blog post from its Security Intelligence and Research arm that two major flaws have been discovered in 7-Zip that have ramifications for antivirus and security products.
First is CVE-2016-2335, a flaw whereby 7-Zip doesn't check whether a partition is 'out of bounds' when reading Universal Disk Format files, which, if misused, could allow crims to execute remote code.
Meanwhile, CVE-2016-2234 is an exploitable heap overflow vulnerability. Let's not get all tied up in what that means, because we've linked to the article. It's basically techie stuff.
The blog by Marcin Noga and Jaeson Schultz of Cisco's crack ninja security squadron Talos explained: "Sadly, many security vulnerabilities arise from applications which fail to properly validate their input data.
"Both of these 7-Zip vulnerabilities resulted from flawed input validation. Because data can come from a potentially untrusted source, data input validation is of critical importance to all applications’ security.
"Talos has worked with 7-Zip to responsibly disclose, and then patch, these vulnerabilities. Users are urged to update their vulnerable versions of 7-Zip to the latest revision, version 16.00, as soon as possible."
7-Zip is a hugely popular open source alternative to commercial file archiving packages first released in 1999. As well as using the standard .zip and .rar formats, its own .7z file type has become de facto for many users, but as with all archive types it can be used to hide nasties too.
Meanwhile, because of the problems found in the unpatched 7-Zip, security companies will need to compensate, and as such the major companies are rushing to patch it themselves.
Talos said: "These type of vulnerabilities are especially concerning since vendors may not be aware they are using the affected libraries. This can be of particular concern, for example, when it comes to security devices or antivirus products.
"7-Zip is supported on all major platforms, and is one of the most popular archive utilities in use today. Users may be surprised to discover just how many products and appliances are affected." µ
This column could make you very poor
Firm beats out rival bids from Motorola and Sepura
Battery will help stock blackouts in South Australia
The early bird catches the spud. Perhaps she was a potato clock?