Urgent Update: High-Risk Vulnerability in 7-Zip Allows Malware Propagation by Bypassing Windows MoTW
Urgent Update: High-Risk Vulnerability in 7-Zip Allows Malware Propagation by Bypassing Windows MoTW
- Why Enterprise RAID Rebuilding Succeeds Where Consumer Arrays Fail?
- Linus Torvalds Rejects MMC Subsystem Updates for Linux 7.0: “Complete Garbage”
- The Man Who Maintained Sudo for 30 Years Now Struggles to Fund the Work That Powers Millions of Servers
- How Close Are Quantum Computers to Breaking RSA-2048?
- Why Windows 10 Users Are Flocking to Zorin OS 18 Instead of Linux Mint?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
Urgent Update: High-Risk Vulnerability in 7-Zip Allows Malware Propagation by Bypassing Windows MoTW
A critical vulnerability (CVE-2025-0411) has been discovered in the widely used compression tool 7-Zip, enabling attackers to bypass the Mark of the Web (MoTW) security feature in Microsoft Windows 10 and 11.
Users are strongly advised to upgrade to version 24.09, released on November 30, 2024, to address this issue, according to a January 21 report by BleepingComputer.
Details of the Vulnerability
The vulnerability permits attackers to bypass Windows’ MoTW—a security measure designed to flag files originating from untrusted sources—allowing malicious code execution during the extraction of nested compressed files.
Since version 22.00 (released June 22, 2022), 7-Zip has supported MoTW by adding a special “Zone.Identifier” alternate data stream to all files extracted from downloaded archives. This marker alerts the operating system, browsers, and other applications that the files might be untrustworthy, triggering security warnings or restricted functionality.
For instance:
- Attempting to execute a file with the MoTW marker prompts users with a security alert.
- Microsoft Office applications open flagged documents in “Protected View,” disabling macros and other potentially dangerous features.
The flaw lies in 7-Zip’s handling of MoTW-tagged archives. It fails to propagate the MoTW marker to extracted files, leaving them unprotected. As a result, attackers can exploit this oversight by crafting malicious archives that execute arbitrary code when extracted with vulnerable versions of 7-Zip.
Exploitation Risk and Attack Vectors
Reports from Trend Micro emphasize that exploiting this vulnerability requires user interaction, such as visiting a malicious webpage or opening a specially crafted file. An attacker could distribute a compressed archive with nested malicious files pre-tagged with MoTW.
When users extract these files using an affected version of 7-Zip, the MoTW marker is improperly handled, allowing malware to evade security warnings and execute directly.
Mitigation Steps
7-Zip developer Igor Pavlov addressed the vulnerability in version 24.09, released on November 30, 2024. However, 7-Zip does not feature an automatic update mechanism, leaving users of older versions at significant risk. Immediate manual upgrades are crucial to avoid potential exploitation.
Download the patched version here: 7-Zip official website.
Historical Context and Implications
Similar vulnerabilities have been exploited in the past by cybercriminal groups like DarkGate and Water Hydra to propagate malware. This latest flaw underscores the persistent risk associated with unpatched software and the growing importance of maintaining up-to-date security protocols.
Recommendations
- Upgrade to 7-Zip version 24.09 immediately.
- Avoid extracting files from unknown or untrusted archives.
- Enable strict security measures for handling downloaded content, including robust antivirus solutions and sandboxed environments.
By addressing this vulnerability promptly, users can protect themselves from potential exploitation and avoid falling victim to malicious attacks.
