Two vulnerabilities have been uncovered by researchers in a open-source Windows utility called 7-Zip. This program provides compression and archiving tools for files. While many of our readers may not know what, or who, 7-Zip is, it is likely that other products that you do use or know about rely on 7-Zip in their programs.
Some of the vendors that have 7-Zip integrated include FireEye, Malwarebytes, and Comodo.
This means whether you use 7-Zip directly or not, you may be vulnerable.
Cisco Talos recently discovered multiple vulnerabilities in 7-Zip that are more serious than regular security flaws. As explained in a blog post by Marcin Noga and Jaeson Schultz, two members of the Cisco Talos Security Intelligence & Research Group:
“These type of vulnerabilities are especially concerning since vendors may not be aware they are using the affected libraries. This can be of particular concern, for example, when it comes to security devices or antivirus products. 7-Zip is supported on all major platforms, and is one of the most popular archive utilities in-use today. Users may be surprised to discover just how many products and appliances are affected.”
Cisco Talos has identified two flaws in particular. The first (CVE-2016-2335) is an out-of-bounds read vulnerability that exists in the way 7-Zip handles Universal Disk Format (UDF) files. An attacker could potentially exploit this vulnerability to achieve arbitrary code execution.
The second flaw (CVE-2016-2334) is a heap overflow vulnerability that exists in the Archive::NHfs::CHandler::ExtractZlibFile method functionality of 7-Zip. The flaw pertains to how compressed files that exceed a certain size are stored in a resource fork and split into blocks. A failure to check into those block sizes can result in a malformed block size that will cause a buffer overflow and heap corruption.
Users are urged to update all vulnerable version of 7-Zip to the latest revision, version 16.00, as soon as possible. You should check with your Anti-Virus or any other security programs used in your organization to see if you are vulnerable.