The popular file compression program 7-Zip is currently affected by a high-severity vulnerability that allows attackers to execute code on the victim’s machines, Trend Micro’s Zero Day Initiative (ZDI) has disclosed.
The flaw has a severity score of 7.8 out of 10, and it affects all 7-Zip versions prior to 24.07. It was released on June 19th, 2024, and the current version is 24.08.
The app and subsequent updates must be installed manually, as the program doesn’t have automatic updates. Therefore, many systems are likely still vulnerable.
It’s quite easy for attackers to exploit the flaw. According to the ZDI advisory, malicious actors could exploit several attack vectors due to a specific flaw within the implementation of Zstandard decompression.
“The issue results from the lack of proper validation of user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process,” the advisory reads.
This means that archives could be used for malicious activity. However, it’s likely that victim interaction would be required to at least open the file.
Trend Micro Security researcher Nicholas Zubrisky first reported the flaw on June 12th, 2024.
Your email address will not be published. Required fields are markedmarked