CoreTech Blog

CoreTech Blog

CoreTech has been serving the Bowling Green area since 2006, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

Alert: Users of 7-Zip Should Immediately Upgrade to the Latest Version

Alert: Users of 7-Zip Should Immediately Upgrade to the Latest Version

One of the latest vulnerabilities in open-source software can be found in 7zip, a file archiver and decompresser. 7zip has been found to have several security vulnerabilities which have software developers rushing to fix their products. The damage done extends far beyond 7zip, reaching both people who use 7zip itself, and developers who have used the technology in the creation of their own tools and software.

There are two vulnerabilities, which were discovered by Cisco’s Security Intelligence and Research Group, Talos. In particular, the security report focuses on the fact that these types of vulnerabilities most drastically affect antivirus software programs and others which host compressed or encrypted files. The real issue that comes from these 7zip vulnerabilities is how widespread the software is used; for example, many companies may be using software which supports 7zip without realizing it.

ZDNet explains in full detail:

  • “The first vulnerability, CVE-2016-2335, is an out-of-bounds security flaw caused by the way 7zip handles Universal Disk Format (UDF) files. When partition maps are scanned to find objects within the file system, there is a lack of proper checking which can cause a read-out-of-bounds problem. If exploited, cyber attackers could use the vulnerability to execute code remotely.”
  • “The second security flaw, CVE-2016-2234, is an exploitable heap overflow vulnerability found within the Archive::NHfs::CHandler::ExtractZlibFile method functionality of 7zip. In the software's HFS+ system, files can be stored in a compressed format using zlib, and depending on the size of the data, this information may be stored in blocks.”

In Simple English: These recently discovered vulnerabilities could be executed by hackers to gain control over your device and data.

Also of note is that this technology should be a reminder of what happens when an open-source software that’s used in many places across the Internet becomes vulnerable. While it’s definitely not as scary as Heartbleed, the vulnerability in OpenSSL that struck in April of 2014 that allowed for the theft of encrypted information, these vulnerabilities in 7zip could have been much worse.

Thanks to the efforts of Talos and the 7zip developers, the vulnerabilities have been patched and are available in the latest version of 7zip, V.16.00. Keep in mind that previous versions are still vulnerable to the aforementioned issues and should be updated as soon as possible. This also goes for any software that your company uses that takes advantage of 7zip.

For more information on the latest security vulnerabilities, as well as information on how to protect your organization from potential threats, reach out to us at (270) 282-4926.

Tip of the Week: Tired of Those Windows 10 Lock Sc...
If You’re Running Older Versions of Internet Explo...
 

Comments

No comments made yet. Be the first to submit a comment
Guest
Already Registered? Login Here
Tuesday, 17 December 2024

Captcha Image

About CoreTech

CoreTech has been serving the Kentucky area since 2006, providing IT Support such as technical helpdesk support, computer support and consulting to small and medium-sized businesses. Our experience has allowed us to build and develop the infrastructure needed to keep our prices affordable and our clients up and running.

get a free quote

Recent News

Last week, we discussed why X—the social media network once known as Twitter—has been losing many users. Here, we wanted to direct those seeking a move to consider the up-and-coming platform known as Bluesky in case you were one of those jumping ship...

Contact Us

1711 Destiny Lane Suite 116
Bowling Green, Kentucky 42104

Mon to Fri 8:00am to 5:00pm

[email protected]

(270) 282-4926


Nashville Managed IT
Louisville and Lexington Managed IT
Bowling Green Managed IT
Clarksville Managed IT