Pierluigi Paganini
January 22, 2025
Attackers can exploit a vulnerability, tracked as CVE-2025-0411, in the free, open-source file archiver software 7-Zip to bypass the Mark of the Web (MotW) Windows security feature.
Mark of the Web (MotW) is a security feature in Microsoft Windows that identifies files downloaded from untrusted sources, such as the internet. It helps mitigate security risks by flagging these files for restricted execution.
Threat actors can trigger the issue to execute arbitrary code on users’ computers when extracting specially crafted malicious files from nested archives or visiting a malicious page.
The flaw exists is related to the handling of archived files. 7-Zip fails to propagate the Mark of the Web when extracting files, allowing attackers to execute arbitrary code in the user’s context.
“This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.” reads the advisory published by ZDI. “The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, 7-Zip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user.”
Peter Girnus reported the flaw through the Trend Micro Zero Day Initiative.
The vulnerability was addressed with the version 24.09.
“The bug was fixed: 7-Zip File Manager didn’t propagate Zone.Identifier stream for extracted files from nested archives (if there is open archive inside another open archive).” reads the change notes for version 24.09.
The 7-Zip users should install the latest version as soon as possible.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, MotW)
