Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

7-Zip vulnerabilities prompt security scramble to plug data leaks


  • Please log in to reply
8 replies to this topic

#1 JohnC_21

JohnC_21

  • Members
  • 24,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:30 AM

Posted 13 May 2016 - 12:14 PM

Cisco reported in a blog post from its Security Intelligence and Research arm that two major flaws have been discovered in 7-Zip that have ramifications for antivirus and security products.

First is CVE-2016-2335, a flaw whereby 7-Zip doesn't check whether a partition is 'out of bounds' when reading Universal Disk Format files, which, if misused, could allow crims to execute remote code.

"Both of these 7-Zip vulnerabilities resulted from flawed input validation. Because data can come from a potentially untrusted source, data input validation is of critical importance to all applications’ security.

"Talos has worked with 7-Zip to responsibly disclose, and then patch, these vulnerabilities. Users are urged to update their vulnerable versions of 7-Zip to the latest revision, version 16.00, as soon as possible."

Article

 



BC AdBot (Login to Remove)

 


#2 ScathEnfys

ScathEnfys

    Bleeping Butterfly


  • Members
  • 1,375 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Deep in the Surface Web
  • Local time:06:30 AM

Posted 13 May 2016 - 12:23 PM

UDF and heap overflow... wow. Surprised they didn't sanitize their data properly till just now.
Proud system builder, modder, and watercooler.

GitHub | SoundCloud | Keybase

#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:30 AM

Posted 13 May 2016 - 02:59 PM

Malwarebytes Anti-Malware for Windows and for Mac aren't affected by this.

https://forums.malwarebytes.org/topic/183068-malwarebytes-anti-malware-and-the-7-zip-vulnerabilities/

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 rp88

rp88

  • Members
  • 3,061 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:30 AM

Posted 14 May 2016 - 11:33 AM

Could someone explain in a bit more detail about what this vulnerability is. I have 7zip installed on my system, do I need to update the 7 zip program? Or is this a problem with the whole 7z archive format? I notice that the news article says "could allow crims to execute remote code" does this mean that a computer is at risk simply by being connected online and having 7 zip installed? Or is there only danger if you download a specially crafted 7z format file and then try to open it? Thanks
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#5 ScathEnfys

ScathEnfys

    Bleeping Butterfly


  • Members
  • 1,375 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Deep in the Surface Web
  • Local time:06:30 AM

Posted 14 May 2016 - 11:47 AM

@rp88

If I understand correctly, its an issue with 7z's handling of archives. An archive could be crafted to execute code when it is opened by 7-zip. You should update your copy of 7-zip and you will be fine.
Proud system builder, modder, and watercooler.

GitHub | SoundCloud | Keybase

#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:30 AM

Posted 14 May 2016 - 11:47 AM

You need to update your 7-Zip to the latest version (16.00) in order to be protected against these vulnerability. Talos worked together with 7-Zip's team to patch them.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 PM

Posted 14 May 2016 - 01:24 PM

AFAIK the vulnerability is not in the handling of the 7-zip archive, but in the handling of UDF and HFS+ files.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 ScathEnfys

ScathEnfys

    Bleeping Butterfly


  • Members
  • 1,375 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Deep in the Surface Web
  • Local time:06:30 AM

Posted 14 May 2016 - 02:20 PM

It's still a file-handling issue.
Proud system builder, modder, and watercooler.

GitHub | SoundCloud | Keybase

#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:30 AM

Posted 14 May 2016 - 02:30 PM

By the way rp, articles on both CVE are at the beginning of the linked article.

http://www.talosintel.com/reports/TALOS-2016-0093/
http://www.talosintel.com/reports/TALOS-2016-0094/

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users