Ethical Hacking News
A self-proclaimed security researcher has claimed to have discovered a zero-day vulnerability in 7-Zip, but the creator of the software says that the exploit does not exist. The incident highlights the challenges faced by security researchers in verifying the existence of vulnerabilities, particularly when it comes to zero-day exploits.
The self-proclaimed security researcher @NSA_Employee39 claimed to have discovered a zero-day vulnerability in 7-Zip's LZMA decoder. The creator of 7-Zip, Igor Pavlov, disputed the claim, stating that no RC_NORM function exists in the LZMA decoder and therefore, the vulnerability is unfounded. Experts criticized the exploit code, pointing out that it does not work as intended and lacks evidence to support its existence. @NSA_Employee39 seems to be having second thoughts about their claim, expressing frustration at being unable to get the exploit to work. The way in which the exploit code was presented is suspiciously similar to how AI-generated fake exploits are typically created.
In a recent turn of events, a self-proclaimed security researcher claimed to have discovered a zero-day vulnerability in the widely used open-source file archive software, 7-Zip. According to the individual, known by the handle @NSA_Employee39, this vulnerability would allow an attacker to execute arbitrary code on a victim's system by tricking them into opening a specially crafted .7z archive.
However, not everyone is convinced of the legitimacy of this claim. Igor Pavlov, the creator of 7-Zip, has come forward to state that the vulnerability does not exist, and that the exploit code shared by @NSA_Employee39 is likely the result of an AI-generated fake exploit.
The claim was made on December 30th, when @NSA_Employee39 announced that they would be releasing a series of zero-day vulnerabilities throughout the week. The first vulnerability claimed was in the LZMA decoder of 7-Zip, which allegedly allowed for arbitrary code execution through a crafted .7z archive. The exploit code for this vulnerability was shared on Pastebin.
Many experts have since criticized the claim, pointing out that the exploit does not work as intended, and that there is no evidence to support the existence of the zero-day vulnerability. @NSA_Employee39 themselves seem to be having second thoughts about their initial claim, as they expressed frustration at being unable to get the exploit to work.
In addition, some experts have pointed out that the way in which the exploit code was presented is suspiciously similar to how AI-generated fake exploits are typically created. The use of hardcoded function addresses and other red flags suggests that the vulnerability may be a fabrication designed to generate publicity or attention.
Igor Pavlov, the creator of 7-Zip, has since weighed in on the controversy, stating that there is no RC_NORM function in the LZMA decoder, and therefore, the claim of a zero-day vulnerability is unfounded. He has also noted that the statement about RC_NORM in the exploit code comment is not true.
The incident highlights the challenges faced by security researchers in verifying the existence of vulnerabilities, particularly when it comes to zero-day exploits. It also underscores the importance of rigorous testing and verification before making such claims public.
In the end, while @NSA_Employee39's claim may have generated some attention and publicity, it remains to be seen whether any actual vulnerabilities exist or not. One thing is certain, however: the security community will continue to scrutinize this incident closely, in order to determine the true nature of this so-called zero-day vulnerability.
Related Information:
https://securityaffairs.com/172467/hacking/an-x-user-claimed-a-7-zip-zero-day-vulnerability.html
Published: Mon Dec 30 19:02:50 2024 by llama3.2 3B Q4_K_M
