Critical Security Vulnerability in Renowned Compression Manager 7-Zip Allows Execution of Arbitrary Code: Immediate Upgrade Recommended

The security industry recently revealed a critical vulnerability in the well-known compression manager 7-Zip, which could allow attackers to execute arbitrary code. However, there is no need for undue alarm as the vulnerability was reported on June 12, 2024, and the latest version of 7-Zip has already patched this flaw. Therefore, security researchers have now disclosed this vulnerability.

The fixed version was released on June 19, 2024, with the version number 7-Zip v24.07. Subsequent versions, including the latest version at the time of this article's publication, 7-Zip v24.08, are not affected by this vulnerability.

This means that users need to update to at least version v24.07 to ensure the vulnerability cannot be exploited. If you are still using an older version of 7-Zip, please immediately go to the official website to download the latest version and upgrade by overwriting the installation.

Special Note: Most common compression managers integrate the open-source module of 7-Zip, and these managers must also be updated.

Download link: https://www.7-zip.org/

Vulnerability Description:

This vulnerability allows remote attackers to execute arbitrary code on affected versions of 7-Zip. Exploiting this vulnerability requires interaction with the library, but the medium of attack may vary depending on the implementation.

The vulnerability is located in the implementation of 7-Zip's Zstandard decompression, caused by inadequate validation of user-provided data, potentially leading to an integer underflow before writing to memory. Attackers could exploit this vulnerability to execute code within the context of the current process.

Common Exploitation Scenarios:

Attackers could create specific compressed files and induce users to download and decompress them via email or download websites. Upon successful exploitation of this vulnerability, attackers could steal system data or even take over the entire system. Note: This vulnerability cannot remotely execute arbitrary code; it requires user interaction to download and execute the decompression of a specially crafted file.

Vulnerability Information:

Vulnerability Number: CVE-2024-11477
CVSS Score: 7.8/10
Disclosure Timeline: Reported to 7-Zip developers on June 12, 2024, fixed version v24.07 released on June 19, 2024, and coordinated public disclosure starting from October 20, 2024.
Discoverer: Nicholas Zubrisky from Trend Micro's security research department

7-Zip(2)7Z(2)Compression Manager(3)Compression software(1)Vulnerabilities(11)Zstandard(1)

Copyright Notice:
Thank you for reading. This article was written by Landian News, and the author is Brook.X. If you wish to repost this article, please include a link to the original: https://landian.news/article/4293.html

{{userData.name}}

Critical Security Vulnerability in Renowned Compression Manager 7-Zip Allows Execution of Arbitrary Code: Immediate Upgrade Recommended

Google Introduces New Vulnerability Bounty Program for KVM Virtual Machine Manager with Rewards up to $250,000

Critical Security Vulnerability Found in OpenWrt: Users Urged to Update Immediately

Google Releases August 2024 Android Security Update to Fix Kernel Vulnerability Exploited by Hackers

Kraken Crypto Exchange Hit by Exploitation and Extortion from Security Firm CertiK

Critical Security Flaws Detected in WPS Office, Immediate Upgrade Recommended

0patch Announces Five Years of Security Support for Windows 10 at $27 per Device

[Download] Classic Compression Manager WinRAR v7.10 Beta Released with Dark Mode and Performance Optimizations

Windows high-risk security vulnerability CVE-2024-38077 PoC released IT administrators should ensure all machines are updated

WinRAR v7.10 Beta 2 Released: Optimizing Right-Click Menu Speed on Windows 11

Russian Hackers Exploit Windows 10/11 and Firefox Vulnerabilities in Widespread Attacks

MAS v2.9 Update: Your All-In-One Solution to Windows/Office Activation Issues

[Download] Free Virtual Machine Software VMware Workstation Pro v17.6.2 Official Release - No Activation Required

Linux Kernel 6.13 to Support Display of Stuck Task Counts, Aiding Administrators in Fault Diagnosis

[Updated] The Importance of Data Backup: European Cloud Company Hetzner Deletes All Servers and Data of a Client Without Warning

Ubuntu 20.04 LTS Support Nearing End: Upgrade or Subscribe to ESM for Updates

Elementary OS 8 Released: Aiming to Replace Windows and macOS

Linux Kernel 6.13 First Release Candidate (RC1) Launched with Multiple New Features and Improvements

OpenAI Expands ChatGPT Collaboration: New IDE and Terminal Tool Integrations

The True God of Permanence! MAS Team Announces Successful Crack of Windows 10 ESU Paid Extension Updates