Researchers have found some serious flaws in 7-Zip, an open source compression tool which is used in many products including antiviruses and security appliances. 7-Zip is known for its high compression ratio and ability to handle a large number of archive formats. The vulnerabilities in 7-Zip are caused by the lack of proper data input validation.
Craig Young, Cybersecurity Researcher for Tripwire says, “It is important for users to exercise caution when extracting files from untrusted sources using 7-zip. Earlier this year I did my own research on 7-zip and found that the wide range of supported file formats creates a very large attack surface. With less than an hour of fuzzing the 7z extractor late last year, I also found several exploitable memory corruption bugs. The best advice for anyone downloading content and extracting it with 7z is to perform file extractions within an immutable virtual machine.”