Your average user doesn’t pay much attention to security vulnerabilities in software, but when they affect something like 7-Zip, one of the most popular compression tools available, it has a way of cornering the raised eyebrow market.
Image: Stefan Graubner
Cisco’s Marcin Noga and Jaeson Schultz discovered the flaws in 7-Zip’s source code — which is available under the GNU Lesser General Public License (LGPL) — and posted their specifics last week.
Like a lot of vulnerabilities, the circumstances under which they can be exploited are narrow, but not impossible. The first relates to how 7-Zip deals with files that use the Universal Disk Format.
If the acronym “UDF”, sounds familiar, it’s because its the file system typically used for DVDs.
Given a carefully formed UDF image, it’s possible to trigger an out-of-bounds error, allowing the execution of malicious code.
The second issue involves Apple’s Hierarchical File System, or HFS+. 7-Zip doesn’t perform validation on some of the data it reads and much like the first flaw, can make it possible to run code of nefarious origins.
Now, you can update 7-Zip to the latest version — 16.00 at the time of writing — which fixes both problems. However, that’s not the larger issue at hand. Because 7-Zip is licensed under LGPL, its code has found its way into a variety of open source projects.
While some might update to address these flaws, a lot won’t (especially embedded software), leaving them open to exploitation.
Interestingly, 7-Zip’s changelog doesn’t make much of a note about addressing the flaws, simply stating that “Some bugs were fixed”. It’s a far cry from WinRAR’s disclosure when faced with vulnerabilities that weren’t even the program’s fault. It wouldn’t hurt to see a little more transparency here.