A critical flaw in the 7-Zip compression tool has been fixed, addressing a vulnerability that allowed attackers to bypass the Windows Mark of the Web (MotW) security feature, posing significant risks to users. This issue permitted malicious code execution from files extracted through nested archives.

MotW Support and Risks

Since version 22.00 in June 2022, 7-Zip has included MotW support, automatically applying 'Zone.Id' alternate data streams to files unpacked from downloaded archives. These markers alert the operating system and applications that files may originate from potentially unsafe sources, prompting security warnings. Such warnings help users avoid opening hazardous files inadvertently, which could lead to malware installation. Programs like Microsoft Office will open these files in Protected View, restricting editing and disabling macros to enhance security.

Details of the Vulnerability

Trend Micro highlighted a vulnerability identified as CVE-2025-0411, which allowed bad actors to evade these security measures with crafted archives. The flaw enabled an unauthorized removal of the MotW tags during extraction, facilitating arbitrary code execution without proper alerts. Exploiting this required user interaction, such as visiting a malicious webpage or opening a harmful file.

Updates and Recommendations

Developer Igor Pavlov released a fix on November 30, 2024, with the rollout of 7-Zip version 24.09, addressing this critical security issue. Due to the absence of an automatic update feature, many users may still be running older, vulnerable versions of the software. As these types of vulnerabilities are frequently targeted in malware campaigns, it is imperative for all 7-Zip users to update their software immediately to safeguard against potential exploits.

Historical Context of MotW Exploits

The issue isn't isolated; similar vulnerabilities have been used in real-world attacks. Microsoft previously resolved another MotW security bypass in June (CVE-2024-38213), exploited by DarkGate malware operators. Another attack vector, CVE-2024-21412, has been used by the Water Hydra group to deploy the DarkMe remote access trojan via trading and financial platforms. Keeping software updated not only enhances security but is vital in protecting against these persistent threats.

The link has been copied!