Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Showing posts with label Archive. Show all posts

Critical 7-Zip Vulnerability Exposes Millions of Systems to Potential Malware Attacks

 

A fresh disclosure highlights a security weakness in the popular 7-Zip tool, stirring unease within cyber defense circles due to its potential misuse for spreading harmful software. Though limited to outdated builds of this open compression program, the flaw might let hackers run unauthorized scripts when someone opens manipulated archive files. Because user interaction triggers the problem, deception becomes part of the attack path - simply opening a corrupted file may be enough. 

While patches exist for current releases, unpatched systems remain exposed through seemingly harmless data containers. Since many rely on legacy installations unknowingly, risk lingers across personal and business setups alike. Earlier this year, researchers uncovered a weakness labeled CVE-2026-48095, also tracked under GHSL-2026-140. This problem lies in how 7-Zip handles NTFS volume images. 

Instead of managing memory safely, it allows excess data to spill past set limits - a behavior known as heap-based buffer overflow. Because memory gets corrupted during file processing, attackers might exploit this to run unauthorized code. Experts warn such flaws carry high risk due to their potential for system takeover. Though details remain limited, the core danger stems from improper boundary checks during archive extraction. Opening an archive with a specially designed NTFS image file sets off the exploit, studies show. 

When handling such files, certain editions of 7-Zip fail to compute buffer sizes correctly - evidence points to flawed logic during parsing. As a consequence, allocated memory falls short, leading software to overwrite nearby regions by mistake. Such instability opens paths where malicious inputs might run unchecked or force sudden halts in operation. Back in April, someone alerted the 7-Zip developers about the issue without going public. After that report came through, the team put out version 26.01 - fixing the weakness and shutting down the danger it posed. 

Not long afterward, they shared an official notice with everyone; included was a working Python example showing exactly what attackers might do on outdated versions. One way this flaw plays out depends heavily on what kind of setup it's found in, along with how much computing power sits nearby. Sometimes attackers might run their own programs from afar; other times they simply knock apps offline or freeze them completely. 

Even when effects differ, moving to the newest 7-Zip build is seen as essential - no workarounds exist once a version falls inside the risk zone. What makes the situation more serious is how common 7-Zip has become. With hundreds of millions of downloads, it runs on many Windows and Linux machines. 

Because so much automation depends on its built-in tools, companies often embed its compression features into larger programs. One reason 7-Zip poses risk is how common it has become - flaws could reach millions. When updates lag, experts say, those gaps catch hackers’ attention. Old setups might open doors without warning, especially if archives appear safe at first glance.

PyPI's New Archival Feature Addresses a Major Security Flaw

 

The Python Package Index (PyPI) has informed users that no modifications are expected with the launch of "Project Archival," a new method that enables publishers to archive their projects. To assist users in making informed decisions regarding their dependencies, users will still be able to download the projects from PyPI, but they will be alerted of the maintenance status. 

The new tool aims to strengthen supply-chain security, as hacking developer accounts and sending malicious updates to widely used but abandoned projects is a typical occurrence in the open-source community. In addition to minimising user risk, it lowers support requests by guaranteeing clear communication of the project's lifecycle state. 

Project archiving modus operandi 

According to a detailed blog post by TrailofBits, the developer of PyPI's new project archival system, the feature includes a maintainer-controlled status that enables project owners to declare their projects as archived, informing users that there will be no more updates, patches, or maintenance. 

Although it is not mandatory, PyPI advises maintainers to publish a final version prior to project archiving in order to provide information and justifications for the decision. If the maintainers decide to pick up where they left off, they can unarchive their project whenever they like. 

Under the hood, the new system employs a LifecycleStatus model, which was initially designed for project quarantine and includes a state machine that allows for modifications between different states. 

When the project owner selects the 'Archive Project' option on the PyPI settings page, the platform automatically updates the metadata to reflect the new state. According to TrailofBits, there are plans to add other project statuses such as 'deprecated,' 'feature-complete,' and 'unmaintained,' giving users a better understanding of the project's status. 

The purpose of the warning banner is to alert developers to the need of identifying actively maintained alternative dependencies rather than sticking with out-of-date and potentially insecure projects. In addition, cybercriminals frequently target abandoned packages, taking over unmaintained projects and injecting malicious code via an update that may arrive many years after the last one. 

When deciding to halt work, maintainers sometimes decide to delete their projects, which might result in situations like "Revival Hijack" attacks. From a security standpoint, it is more preferable to provide those maintainers the option to archive. 

Ultimately, a lot of open-source projects are abruptly discontinued, leaving consumers to wonder if they are still being maintained. The new system eliminates uncertainty and gives a clear indication of a project's state, which should increase transparency in open-source project management.