Security issues discovered in the popular 7-Zip compression utility have left vendors scrambling to release patches, according to Cisco's Talos security arm.
In an announcement
late yesterday, Talos security researchers Marcin Noga and Jaeson Schultz revealed multiple vulnerabilities in the popular 7-Zip compression and decompression utility. Rather than affecting only the main release of the software, however, the bugs have been traced to the 7-Zip library itself - a library used by thousands of other products and services which sought to quickly add compression and decompression support their their applications.
'These type of vulnerabilities are especially concerning since vendors may not be aware they are using the affected libraries,
' warned the pair in the vulnerability announcement. 'This can be of particular concern, for example, when it comes to security devices or antivirus products. 7-Zip is supported on all major platforms, and is one of the most popular archive utilities in-use today. Users may be surprised to discover just how many products and appliances are affected.
The two major vulnerabilities discovered by Talos are an out-of-bounds read vulnerability relating to Universal Disk Format (UDF) files which can be exploited to execute arbitrary code, and a heap overflow vulnerability which can potentially crash other applications or the underlying operating system. Both are fixed in 7-Zip version 16.00, though it will be some time - if at all - before other software which is built around the 7-Zip library is updated to resolve the issues.