Your average user doesn’t pay much attention to security vulnerabilities in software, but when they affect something like 7-Zip, one of the most popular compression tools available, it has a way of cornering the raised eyebrow market.
Cisco’s Marcin Noga and Jaeson Schultz discovered the flaws in 7-Zip’s source code — which is available under the GNU Lesser General Public License (LGPL) — and posted the specifics last week.
Like a lot of vulnerabilities, the circumstances under which they can be exploited are narrow, but not impossible. The first relates to how 7-Zip deals with files that use the Universal Disk Format.
If the acronym “UDF”, sounds familiar, it’s because its the file system typically used for DVDs.
Given a carefully formed UDF image, it’s possible to trigger an out-of-bounds error, allowing the execution of malicious code.
The second issue involves Apple’s Hierarchical File System, or HFS+. 7-Zip doesn’t perform validation on some of the data it reads and much like the first flaw, can make it possible to run code of nefarious origins.
Now, you can update 7-Zip to the latest version — 16.00 at the time of writing — which fixes both problems. However, that’s not the larger issue at hand. Because 7-Zip’s source is licensed under LGPL, its code has found its way into a variety of projects, as Cisco’s advisement notes:
These type of vulnerabilities are especially concerning since vendors may not be aware they are using the affected libraries. This can be of particular concern, for example, when it comes to security devices or antivirus products. 7-Zip is supported on all major platforms, and is one of the most popular archive utilities in-use today. Users may be surprised to discover just how many products and appliances are affected.
While some might update to address these flaws, a lot won’t (especially embedded software), leaving them open to exploitation.
Interestingly, 7-Zip’s changelog doesn’t make much of a note about addressing the flaws, simply stating that “Some bugs were fixed”. It’s a far cry from WinRAR’s disclosure when faced with vulnerabilities that weren’t even the program’s fault. It wouldn’t hurt to see a little more transparency here.