A high-risk vulnerability has been found in 7zip, a free tool for archiving and compressing files that are widely used around the world. It is a vulnerability that allows the execution of arbitrary code, to obtain a high level of privileges.
A vulnerability in 7zip opens the door to arbitrary code execution
This vulnerability in 7zip could allow attackers to install programs, view, change and delete data on the system or create new user accounts with a maximum level of privileges, giving them full access to the system. This exploit has been named CVE-2018-10115. Fortunately, the creator of the application has already published a new free version of the problem.
A vulnerability has been discovered in 7-Zip, which could allow arbitrary code execution. The NArchive method :: NRar :: CHandler :: Extract into CPP / 7zip / Archive / Rar / RarHandler.cpp does the decoding of file data using a largely uninitialized state. This state together with the lack of address space design randomness (ASLR) in the main executable files (7zFM.exe, 7zG.exe, 7z.exe, 7z.exe) can cause memory damage leading to arbitrary code execution.
Successful exploitation of this vulnerability could allow arbitrary code to be executed. Depending on the privileges associated with the user, an attacker may then install programs; view, change or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights in the system may be less affected than those who operate with user administrative rights.
This free version of the problem was released on April 30th and is numbered 18.05, all of the above are vulnerable, so it is highly recommended that you upgrade to the latest version available.