Researchers have found some serious flaws in 7-Zip, an open source compression tool which is used in many products including antiviruses and security appliances. 7-Zip is known for its high compression ratio and ability to handle a large number of archive formats. The vulnerabilities in 7-Zip are caused by the lack of proper data input validation. Here to comment on this research is security expert from Tripwire.
Craig Young, Cybersecurity Researcher for Tripwire:
“It is important for users to exercise caution when extracting files from untrusted sources using 7-zip. Earlier this year I did my own research on 7-zip and found that the wide range of supported file formats creates a very large attack surface. With less than an hour of fuzzing the 7z extractor late last year, I also found several exploitable memory corruption bugs. The best advice for anyone downloading content and extracting it with 7z is to perform file extractions within an immutable virtual machine.”
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
