Vulnerability in 7zip opens door to arbitrary code execution

A high-risk vulnerability has been found in 7zip, a free file archiving and compressing tool that is widely used worldwide. It is a vulnerability that allows the execution of arbitrary code, to obtain a high level of privileges.

Serious vulnerability in 7zip

This vulnerability in 7zip could allow attackers to install programs, view, change and delete data on the system or create new user accounts with a maximum level of privileges, which would give them full access to the system. This exploit has been christened CVE-2018-10115, fortunately the creator of the application has already released a new version free of the problem.

We recommend reading our post on Eight new vulnerabilities are discovered in Intel processors

A vulnerability has been discovered in 7-Zip, which could allow arbitrary code to run. The NArchive:: NRar:: CHandler:: Extract method in CPP / 7zip / Archive / Rar / RarHandler.cpp performs decoding of file data using a largely uninitialized state. This state along with the lack of address space design randomness (ASLR) in the main executable files (7zFM.exe, 7zG.exe, 7z.exe) can cause memory corruption leading to arbitrary code execution.

Successful exploitation of this vulnerability could allow arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system may be less affected than those who operate with administrative user rights.

This version free of the problem, was released on April 30 and is numbered 18.05, all the previous ones are vulnerable, so it is highly recommended that you update the program to the latest available version.

Overclock3d font