One of the biggest challenges facing IT and security teams is managing the patching process for the entire application spectrum within the environment. Operating systems and other large application packages often make updating easy. Sometimes patch management solutions can do a very good job of keeping many (or even most) of the environment up to date.

But it’s critical to make sure that patching is comprehensive, because sometimes even “small” or noncritical applications can present big vulnerabilities if they get out of date.

A recent attack on a commonly used compression tool illustrates exactly how dangerous missed patching of third-party applications can be. 

The Story Behind the 7-Zip Vulnerability 

A recent software vulnerability was identified and likely exploited by the Russians against the Ukrainian government as a cyberespionage attack. The exploit has been identified and patched, but it creates a vulnerability for IT departments worldwide.

All IT departments should prevent third-party applications from being installed on company machines whenever possible, and when the software is required, make sure updates are installed promptly to prevent attacks.

This particular exploit affects installations of the popular software, 7-Zip, used for creating zip files and extracting files from compressed file archives. The software is open source, free to use, and commonly installed.

After the Trend Micro Zero Day Initiative (ZDI) Threat Hunting team identified the problem, 7-Zip released patch version 24.09 on November 30, 2024, to address the exposure. 

How Does This Exploit Work?

To understand how this exploit occurred, let’s discuss a common Windows security feature: Mark-of-the-Web (MoTW). Windows helps identify files from an untrusted source using its MoTW security feature. The feature marks a file as originating from an untrusted zone (the internet) and helps ensure extra security checks are performed by Microsoft Defender SmartScreen.

If you have ever opened a file in Microsoft Excel with the “Protected View” status, you are using the MoTW functionality.

The MoTW security feature is an essential part of Windows security and helps make sure that users are protected from threats like malicious macros.

Bad actors bypass the MoTW controls by encapsulating an archive file inside another archive file. The Ukrainian attack involved an email attachment with a “double” encapsulated archive file along with a hidden typo to trick users into thinking they were on a safe domain. For example, the Cyrillic letter Es looks like the letter “c” and can be replaced in a .com domain to fool an unsuspecting site visitor. The average web user doesn’t notice the unusual character and may feel they are on a valid website.

This attack led to compromised email accounts, malware infection, and full system compromise. 

What Can You Do About It? 

IT departments become the first line of defense against potential issues, and the following steps will help reduce the risk of exploits:

• Update 7-Zip (and any other third-party software installations.) Determine if all machines with the 7-Zip software have been updated to version 24.09 or later. If not, the update is available on SourceForge.net.
• Inventory and track third-party applications. Create a detailed list of installed applications so they can be properly licensed, maintained, and upgraded. 
• Consider additional security measures to prevent unauthorized applications. One option is to use Microsoft’s Applocker to restrict users’ ability to install applications. Both the NIST and CIS frameworks include controls around user-installed software and unauthorized installations.
• Prevent users from executing files from untrusted sources. Configure systems to prevent opening and execution of suspicious files. Limit the use of local admin permissions to only those users who need them.
• Test and upgrade your systems. Stay informed on common exploits. Make sure software patches are installed in a timely manner to prevent issues and widespread concerns. Perform regular penetration and vulnerability tests to identify potential issues early. 

Feel free to contact RubinBrown’s Cyber Security Services team if you have any questions about this vulnerability or assistance with testing your environment. Our teams regularly assist clients with assessing their security levels, performing penetration tests, and performing Cyber Security Health Checks.

Find out more about these services here.

Published: 02/18/2025

_{^{Readers should not act upon information presented without individual professional consultation.}}

_{^{Any federal tax advice contained in this communication (including any attachments): (i) is intended for your use only; (ii) is based on the accuracy and completeness of the facts you have provided us; and (iii) may not be relied upon to avoid penalties.}}