BrikoX@lemmy.zipM to Technology@lemmy.zipEnglish · 1 day agoWide-ranging 7-zip vulnerability with 8.8 CVE rating allows for code execution — hundreds of millions of machines potentially at riskwww.tomshardware.comexternal-linkmessage-square17linkfedilinkarrow-up1139arrow-down12file-text
arrow-up1137arrow-down1external-linkWide-ranging 7-zip vulnerability with 8.8 CVE rating allows for code execution — hundreds of millions of machines potentially at riskwww.tomshardware.comBrikoX@lemmy.zipM to Technology@lemmy.zipEnglish · 1 day agomessage-square17linkfedilinkfile-text
minus-squarequick_snail@feddit.nllinkfedilinkEnglisharrow-up3arrow-down2·17 hours agoThat actually doesn’t seem to be so severe. How many people download some random archive and then, after extracting it, they double click on the files inside it? It says the risk of this vuln is arbitrary code execution of a maliciously crafted archive. After fixing this bug, most 7zip users will still be vulnerable to arbitrary code execution due to maliciously crafted archives.
minus-squareSteleTrovilo@beehaw.orglinkfedilinkEnglisharrow-up5·14 hours agoAccording to the last paragraph, the vulnerability is in reading the archive itself, not the decompressed contents.
minus-squareKactus@piefed.worldlinkfedilinkEnglisharrow-up2·2 hours agoI think what quick snail is saying is that if you are going to download a malicious zip file you are just as likely to unzip the archive and run the program inside. It’s a lot easier to just have a malicious payload inside the archive.
That actually doesn’t seem to be so severe.
How many people download some random archive and then, after extracting it, they double click on the files inside it?
It says the risk of this vuln is arbitrary code execution of a maliciously crafted archive.
After fixing this bug, most 7zip users will still be vulnerable to arbitrary code execution due to maliciously crafted archives.
According to the last paragraph, the vulnerability is in reading the archive itself, not the decompressed contents.
I think what quick snail is saying is that if you are going to download a malicious zip file you are just as likely to unzip the archive and run the program inside. It’s a lot easier to just have a malicious payload inside the archive.