Researchers have found some serious flaws in 7-Zip, an open source compression tool which is used in many products including antiviruses and security appliances. 7-Zip is known for its high compression ratio and ability to handle a large number of archive formats. The vulnerabilities in 7-Zip are caused by the lack of proper data input validation. Here to comment on this research is security expert from Tripwire.
Craig Young, Cybersecurity Researcher for Tripwire:
“It is important for users to exercise caution when extracting files from untrusted sources using 7-zip. Earlier this year I did my own research on 7-zip and found that the wide range of supported file formats creates a very large attack surface. With less than an hour of fuzzing the 7z extractor late last year, I also found several exploitable memory corruption bugs. The best advice for anyone downloading content and extracting it with 7z is to perform file extractions within an immutable virtual machine.”