Severe 7-Zip vulnerabilities cause top security, software tools patch panic

The open-source file archiver's security flaws have ramifications which go all the way up to the top.
Written by Charlie Osborne, Contributing Writer
CCO Negative Space

Researchers have discovered that 7-Zip harbours a number of severe security flaws which has left developers which implement the software rushing to fix holes in their own products.

7-Zip is an open-source file archiver and decompressor which is used in a range of utilities and applications which also includes AES-256 encryption options. Not only is 7-Zip used by thousands of consumers, but a number of technology companies and developers also implement the system in their own tools and software.

As we've found with the recent ImageMagick flaw, if a backbone piece of software contains severe security vulnerabilities, the implications of the issue can go beyond just the software itself and impact any websites, systems or other solutions which rely on the vulnerable tool.

Marcin Noga, a senior research engineer with Cisco's Security Intelligence and Research Group, Talos, recently discovered a number of issues with 7-Zip.

In a blog post, the security firm said two major vulnerabilities are contained within 7-Zip libraries which may also impact "security devices or antivirus products," among other software.

The first vulnerability, CVE-2016-2335, is an out-of-bounds security flaw caused by the way 7-Zip handles Universal Disk Format (UDF) files. When partition maps are scanned to find objects within the file system, there is a lack of proper checking which can cause a read-out-of-bounds problem. If exploited, cyberattackers could use the vulnerability to execute code remotely.

The second security flaw, CVE-2016-2234 , is an exploitable heap overflow vulnerability found within the Archive::NHfs::CHandler::ExtractZlibFile method functionality of 7-Zip. In the software's HFS+ system, files can be stored in a compressed format using zlib, and depending on the size of the data, this information may be stored in blocks.

There is no check to see whether the size of the block is bigger than the software's buffer, leading to a buffer overflow problem and potentially heap corruption.

Noga commented:

"Sadly, many security vulnerabilities arise from applications which fail to properly validate their input data. Both of these 7-Zip vulnerabilities resulted from flawed input validation.
Because data can come from a potentially untrusted source, data input validation is of critical importance to all applications' security. "

Talos and 7-Zip have worked together to fix these issues and now the latest version, 7-Zip v.16.00, is available for download. Previous editions of the software are vulnerable to these issues and so should be updated immediately -- and that goes for both consumers and any company or developer relying on 7-Zip's functionality.

Cybersecurity reads which belong on every bookshelf

Read on: Top picks

Editorial standards