Last week, Talos discovered multiple vulnerabilities in 7-Zip, a popular, open source file archiver. The vulnerabilities are particularly severe as many products, including antivirus software, implement 7-Zip in their software. When vulnerabilities are found, it is the responsibility of software owners to patch them. However, these patches are useless, unless users update their software.

Avast is not affected by these vulnerabilities, but if you are a non-Avast user we recommend you update your antivirus software, if you haven’t done so already.

About the vulnerabilities

The two vulnerabilities found are CVE-2016-2335 and CVE-2016-2334. The first vulnerability is an out-of-bounds read vulnerability, which exists due to how 7-Zip handles Universal Disk Format (UDF) files and could allow attackers to remotely execute code.

The second vulnerability is an exploitable heap overflow vulnerability, found in the Archive::NHfs::CHandler::ExtractZlibFile method functionality. In the HFS+ file system, files, depending on their size, can be split into blocks. There is no check to see if the size of the block is bigger than size of the buffer, which can result in a malformed block size which exceeds the buffer size. This will cause a buffer overflow and heap corruption.

What you should do

As mentioned above, it is up to software publishers to provide their users with vulnerability fixes, but these are futile if users don’t take action and update their software. It is vital that you frequently update all software, including your operating system, on a regular basis.

Update Windows

The “Updates are available” Windows pop-ups may sometimes seem annoying, but they are important. You should update Windows with each available update. You can check which updates are available in Windows 10, by clicking on the Microsoft start button -> Settings -> Windows Update. (See here for Windows Vista, Windows 7, and Windows 8.1).

Updating all other software

An easy way to update all other software on your PC is by using Avast Software Updater, which is integrated in all Avast PC products for free.

To check for updates, open Avast -> click on “Scan” -> then on “Scan for outdated software” and then click on “Update”. If you have Avast Premier, you can activate automatic updates.

According to the National Vulnerability Database, there have been 394 vulnerabilities matched thus far this month. Each day new vulnerabilities are being discovered and while not all of these may affect your device, attackers do favor exploiting vulnerabilities that allow them to target the most devices possible. Protect yourself by frequently updating your software.