Skip to content
Tech News
← Back to articles

Update now: 7-Zip fixes RCE flaw exploitable with malicious archives

read original more articles
Why This Matters

The release of 7-Zip version 26.02 addresses a critical remote code execution vulnerability in its handling of XZ-compressed data, which could be exploited through malicious archives. This fix is significant for the tech industry and consumers, as 7-Zip is widely used and often targeted by threat actors for malware distribution. Users must manually update to ensure their systems are protected from potential exploits leveraging this flaw.

Key Takeaways

7-Zip version 26.02 was released to fix a remote code execution vulnerability that could allow attackers to execute malicious code by convincing users to open specially crafted compressed files.

The vulnerability, disclosed by Lunbun researcher Landon Peng, exists in 7-Zip's processing of XZ-compressed data.

According to an advisory from the Zero Day Initiative, specially crafted XZ data can trigger a heap-based buffer overflow, potentially allowing attackers to execute arbitrary code as the user.

While the developer has not published technical details about the flaw, the changes in the 26.02 source code suggest it is related to how 7-Zip tracks available space while decompressing XZ data.

The patch adds checks to ensure the decoder cannot write beyond the remaining available space in an output buffer, helping prevent a heap-based buffer overflow.

The advisory states that exploitation requires user interaction, such as visiting a malicious page or opening a malicious archive file.

No automatic update feature

As 7-Zip does not include an automatic update feature, users will not receive the security fix automatically. Instead, they must install it manually by downloading the latest version from the program's official site, 7-zip.org.

Because 7-Zip is one of the most widely used archive utilities on Windows, security flaws impacting its archive features are an attractive target to threat actors.

A phishing campaign or social engineering attack could be used to distribute a malicious archive that exploits the flaw to install malware on vulnerable systems.

... continue reading