🚨 SECURITY PSA - 7ZIP VULN🚨
Update your 7zip, folks
https://cybersecuritynews.com/7-zip-vulnerability-arbitrary-code/
#cybersecurity #zeroday #7zip #malware #security #it #infosec
Why do I hear specifically about vulnerabilities in compression programs so much more than in other kinds of software?
@[email protected] because it’s specifically software that is about opening and processing arbitrary payloads.
@neatchee it’s a fake proof of concept https://therecord.media/fake-zero-day-7Zip
@neatchee
If you read the write up, it sounds like the 7-Zip maintainers have not released a version yet with a patch. Current release is 24.09… watch for something newer.@[email protected] CVE indicates 24.08 was the patched version
@neatchee That good to know. The original report from the group that found it said they were unaware of any patched version being released, but they had not heard from the maintainers yet. I usually check for an update once a month anyway.
@neatchee Thanks for the warning. I make a lot of use of 7-Zip.
Zstandard is used in a lot of things. This could be problematic as a whole.
@[email protected] supply chain attacks are the favorite these days :/
@neatchee Sadly an all too accurate statement.
Luckily the version of 7-Zip with the fix was back in August, so I’m guessing this CVE has been well known across most things. Each of my Linux systems were probably ok by the time I installed the current versions even (let alone updates.)
I did need to update the Windows partition though. Haven’t booted it in ages, much less updated 7-Zip…
@neatchee again?!
@[email protected] nah, this is the one from last month, but since 7z doesn’t self-update I figure I’d do my part in getting people to grab the latest version
@arichtman @neatchee no. This was proven to be false. there’s a whole conversation about it on Mastodon. https://infosec.exchange/@obivan/113741898038858268
@screaminggoat @arichtman ah interesting. I’ll update the link to point at the actual CVE
@neatchee oh this is the one from last month. My mistake. That one is legit: CVE-2024-11477 (7.8 high)
There was some controversy this morning when someone dropped an alleged zero-day poc exploit.
@screaminggoat heh yeah, that was supposedly utilizing this CVE which is what led me to it.
I would normally hold off on posting something this old but 7z has no self update mechanism so people tend to run old versions :/
@[email protected] In that regard, it’s neat when software is available via winget, because that can handle pulling updates for you. “winget upgrade” will also show updates for software that was installed manually, provided it’s registered as Windows application, and in its catalog (caveat: the catalog is not necessarily complete or up to date, but Windows Store can be used as a source for more options).
winget can update everything or just a single application, like you can just do a “winget upgrade 7zip.7zip” to get the newest version that winget knows about.
https://learn.microsoft.com/en-us/windows/package-manager/winget/
@[email protected] @[email protected] I’m a big Winget proponent (and chocolatey before that) and have UnigetUI running on all my windows machines for managing Winget, pip, nuget, and PowerShell packages/scripts
@[email protected] I did not know about UniGetUi - that looks super useful, thanks!
@neatchee @screaminggoat guilty as charged, so I appreciate you both mentioning the more recent vulnerability. Thanks 🫡
@[email protected] @[email protected] I encourage you to check out UnigetUI as a frontend for Winget, Microsoft’s not-very-well-known package manager
