7-Zip users need to take action right now to address a serious security flaw
If you are a 7-Zip user, you need to be aware of a serious Mark-of-the-Web bypass vulnerability. The security hole is not new, having been reported way back in October 2024, but details have only just been released about it, and a fix has only just been produced.
Unlike many security fixes, however, 7-Zip users will need to be proactive in securing their software. Here’s what you need to know.
See also:
- The European Commission wants Elon Musk to reveal the secrets of the X recommendation algorithm (don’t we all?)
- Meta will continue to use fact checkers -- for now, at least, and only outside of the US
- Microsoft’s latest Windows security fixes may not install alongside Citrix software -- but there is a workaround
As is frequently the case with security flaws in software, the issue with 7-Zip has been addressed before details of the exploit were made public. This attempt to reduce the impact of the flaw means that a fix was actually produced back in November 2024 by the developer of the archiving software.
So, what’s the deal with users of 7-Zip needing to take action now? There are two reasons. The first is that as details of the security issue (tracked as CVE-2025-0411) are now widely available because of a “coordinated public release of advisory”. The second is that while a fix has been available for a good while now, 7-Zip does not include an automatic update feature. This means that anyone who has downloaded and installed the software since November is using a secure version, but anything older is vulnerable.
Details of the vulnerability have been published in an advisory notice:
This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, 7-Zip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user.
The good news is that the issue was fixed in 7-Zip version 24.09 -- so just make sure you are up to date by downloading the latest version here.
Image credit: Anatol1973 / Dreamstime.com