- Security researchers warned about a vulnerability in older versions of 7-Zip
- The vulnerability allowed threat actors to bypass the Mark of the Web security feature
- The bug was fixed in late November 2024
A high-severity vulnerability was recently discovered, and patched, in the popular open source file archiver solution 7-Zip. Since the product does not have an automatic update feature, users are advised to upgrade to the newest version manually, as soon as possible.
The vulnerability in question is tracked as CVE-2025-0411. It is described as a Mark of the Web (MotW) bypass, that allows threat actors to execute malicious code on target endpoints that are extracting files from nested archives. It was given a severity score of 7/10 – high.
Mark of the Web is a security feature in Windows that flags files downloaded from the internet as potentially unsafe by adding metadata indicating their origin. This helps prevent malicious scripts or executables from running automatically, prompting users to confirm before opening such files.
Patching the flaw
7-Zip added support for MotW in June 2022, in version 22.00. However, the feature was improperly implemented, and could be bypassed. In a recently released advisory, cybersecurity researchers Trend Micro explain:
“This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file,” the researchers said.
“The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, 7-Zip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user.”
The bug has since been mitigated, with a version 24.09 being released in late November 2024.
“7-Zip File Manager didn’t propagate Zone.Identifier stream for extracted files from nested archives (if there is open archive inside another open archive),” the project’s developer, Igor Pavlov, explained.
Via BleepingComputer
Leave a comment