Talos (a Cisco subsidiary) has found a vulnerability in the popular software 7-Zip.

It exists in the code that handles the UDF files (Uniform Disk Format). This fault is in the file which handles DVD video and audio, and it’s used for other optical disk formats, and involves flawed input validation.

This flaw has been fixed in the 7-Zip v. 16.0 released this month.

Sooo…if you, like many, use 7-Zip, PLEASE UPDATE your software to protect from attacks targeting this vulnerability.

The main problem is that software from Malwarebytes and others (sorry, no list available!) have extendability into zip files and this uses 7-Zip library files. So EVERY security program (and every other program using those libraries) making use of 7-Zip libraries will be vulnerable too, and no list of programs exists anywhere to help.

“What makes this particularly problematic is that there is no way of finding out whether a program that you are using is making use of 7-Zip functions or not. There is no master list of programs that use 7-Zip for compression functionality, and many developers and companies don't disclose if 7-Zip is being used.” – gHacks

Worse: Security programs use elevated privileges on your system, so the damage will be more extensive, even if you were browsing as a “guest”, because the exploit will be given the same access as the program using the libraries with the vulnerability.

Incidentally, PeaZip has been fixed, so it can be used safely at this point.

Sorry to be the bearer of mixed news…

Incidentally, this is what the_Monk and I were talking about in the customizing a Mac thread...and the reason why more and more code is getting locked down.

Source:

http://www.ghacks.net/2016/05/13/7zip-vulnerability-affects-security-software/?_m=3n%2e0038%2e1861%2ehj0ao01hy5%2e1xql