Reminder: 7-Zip & MoW

    Published: 2025-02-10. Last Updated: 2025-02-10 07:27:53 UTC
    by Didier Stevens (Version: 1)
    0 comment(s)

    CVE-2025-0411 is a vulnerability in 7-zip that has been reported to be exploited in recent attacks. The problem is that Mark-of-Web (MoW) isn't propagated correctly: when extracted, a file inside a ZIP file inside another ZIP file will not have the MoW propagated from the outer ZIP file.

    That's good to know, but what I personally consider more important to know, is that MoW isn't propagated at all by 7-zip in its default configuration.

    I wrote about this a couple years ago in diary entry "7-Zip & MoW", when this new feature was introduced.

    You have to enable MoW propagation in the GUI or via the registry. And that is still the case with the latest versions of 7-zip.

    Didier Stevens
    Senior handler
    blog.DidierStevens.com

    Keywords:
    0 comment(s)
    ISC Stormcast For Monday, February 10th, 2025 https://isc.sans.edu/podcastdetail/9316

      Comments

      Login here to join the discussion.


      Diary Archives