🚨 SECURITY PSA - 7ZIP VULN🚨
Update your 7zip, folks
https://cybersecuritynews.com/7-zip-vulnerability-arbitrary-code/
#cybersecurity #zeroday #7zip #malware #security #it #infosec
@neatchee Thanks for the warning. I make a lot of use of 7-Zip.
Zstandard is used in a lot of things. This could be problematic as a whole.
@nazokiyoubinbou@urusai.social supply chain attacks are the favorite these days :/
@neatchee Sadly an all too accurate statement.
Luckily the version of 7-Zip with the fix was back in August, so I’m guessing this CVE has been well known across most things. Each of my Linux systems were probably ok by the time I installed the current versions even (let alone updates.)
I did need to update the Windows partition though. Haven’t booted it in ages, much less updated 7-Zip…
@neatchee
If you read the write up, it sounds like the 7-Zip maintainers have not released a version yet with a patch. Current release is 24.09… watch for something newer.
@neatchee it’s a fake proof of concept https://therecord.media/fake-zero-day-7Zip
Why do I hear specifically about vulnerabilities in compression programs so much more than in other kinds of software?
@arichtman @neatchee no. This was proven to be false. there’s a whole conversation about it on Mastodon. https://infosec.exchange/@obivan/113741898038858268
@screaminggoat @arichtman ah interesting. I’ll update the link to point at the actual CVE
@neatchee oh this is the one from last month. My mistake. That one is legit: CVE-2024-11477 (7.8 high)
There was some controversy this morning when someone dropped an alleged zero-day poc exploit.
