Hi,

Both cases...

1) If you use 7-zip for extracting, than customer can extract file from infected archive file (save to app folder, run standard operation for import data from archive file)
2) Troyan find old dll with bug and use it.

MartinaJ

>I was wondering what it means to have a security exploit in a library that is used by our application.
>
>For instance we are using 7-zip for compression in our application (for instance to create backup files), which we install through our setup program in a folder together with our application. We don't actually install 7-zip application, but just copy the libraries that are then used by our application.
>
>As an example, there were security updates for 7-zip in the past because of vulnerabilities (https://www.groovypost.com/news/serious-security-exploits-found-in-7-zip-update-available/)
>
>What would that mean for our application, if we won't update the 7-zip libraries on time, how would an attacker be able to take advantage of those libraries to exist in our application folder? I am not sure if the fact that these libraries are only used from our application don't pose a security risk, because they are actually not used directly by the user, or does the simple fact of their existance already give an attacker the possibility to exploit those vulnerabilities?