CVE-2018-10115 Affects All 7-Zip Versions Prior to 18.05

CVE-2018-10115 is the identifier of the latest security vulnerability discovered in 7-Zip that affects all the versions of the program prior to 18.05.

More about 7-Zip

7-Zip is a free open-source archiver with a high compression ratio. The program is under the License of GNU LGPL & BSD 3-clause and can be used both by home and enterprise users. “You can use 7-Zip on any computer, including a computer in a commercial organization. You don’t need to register or pay for 7-Zip,” its website says.

7-Zip has been around for almost two decades since its initial release in 1999. Its last stable release was on April 30, 2018, which is 7-Zip version 18.05.

More about CVE-2018-10115

Here is the official description of the vulnerability:

Incorrect initialization logic of RAR decoder objects in 7-Zip 18.03 and before can lead to usage of uninitialized memory, allowing remote attackers to cause a denial of service (segmentation fault) or execute arbitrary code via a crafted RAR archive.

As just mentioned, successful exploitation of this vulnerability could allow attackers to perform arbitrary code execution on vulnerable systems. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights, CIS researchers said.

Note that if you have configured to have fewer user rights on the system, you may be less impacted than those who operate with admin user rights.

The worst part is that CVE-2018-10115 affects all the versions of 7-Zip prior to its latest stable release, 18.05.

Who is at risk? Large and small government entities are at high of exploitation, as well as small, medium and large businesses, and home users.

Fortunately, researchers (Read more...)

*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum authored by Milena Dimitrova. Read the original post at: