Security researchers at Cisco Talos have warned users to patch the widely-used file compression library libarchive, after they discovered three severe vulnerabilities.
The discovery comes after Cisco’s security research team last month discovered a vulnerability in 7-Zip, an open source compression tool used by many companies to shrink their software and files.
“Libarchive is an open-source library that provides access to a variety of different file archive formats, and it’s used just about everywhere,” the security researcers blogged.
“Cisco Talos has recently worked with the maintainers of libarchive to patch three rather severe bugs in the library. Because of the number of products that include libarchive in their handling of compressed files, Talos urges all users to patch/upgrade related, vulnerable software.”
The second flaw concerns flawed code which could allow an attacker to trigger an overflow of the buffer. The third flaw concerns libarchive RAR restartmodel, which has a heap overflow vulnerabilty.
“Writing secure code can be difficult,” blogged the researchers. “The root cause of these libarchive vulnerabilities is a failure to properly validate input – data being read from a compressed file. Sadly, these types of programming errors occur over, and over again.”
“When vulnerabilities are discovered in a piece of software such as libarchive, many third-party programs that rely on, and bundle libarchive are affected,” they wrote. “These are what are known as common mode failures, which enable attackers to use a single attack to compromise many different programs/systems. Users are encouraged to patch all relevant programs as quickly as possible.”
The discovery of more flaws in commonly used compression software should help bolster Cisco’s visibility as a security specialist. The company recently said it has the “largest security business on the planet”, with 5,000 staff and $2 billion in revenue.
Last October Cisco closed down a highly profitable ransomware operation. That criminal gang were using the notorious Angler Exploit Kit to generate an estimated $60 million (£39m) annually by delivering ransomware to unsuspecting people browsing the Internet.
But not all firms are happy when Cisco’s researchers identify problems with their software.
Earlier this year French software firm Tuto4PC hit back at Cisco for labelling it a “shady malware distribution enterprise,” and said it was seeking legal advice.
Cisco Talos had accused Tuto4PC of sneaking unwanted programs, which exhibit malware-like behaviour, onto 12 million computers.
How much do you know about hackers and viruses? Take our quiz!
Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…
Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…
Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…
Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…
Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…
Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…