- Twitter User Posts Alleged Zero-Day Exploit for 7-Zip Software
- However, 7-Zip’s creator quickly debunks the flaw
- Igor Pavlov says AI hallucinations are to blame and the defect is not legitimate
As a New Year’s gift, a Twitter user had posted details of a zero-day exploit in the popular file compression software 7-Zip, but its creator, Igor Pavlov, quickly debunked it as an AI hoax.
“The common conclusion is that this fake Twitter exploit code was generated by LLM(AI),” he began in comments on the Sourceforge.net software repository (via Tom Hardware).
Pavlov went on to suggest that the exploit code is essentially the product of an LLM hallucination: an AI that invents things, which has become commonplace with the rise in popularity of AI.
7-Zip Exploit Code Hallucination
“The comment in the “fake” code contains the following statement: ‘This exploit targets a vulnerability in the LZMA decoder of 7-Zip software. It uses a crafted .7z file with a malformed LZMA stream to trigger a file overflow condition. buffer in the Function RC_NORM.'”
“But there is no RC_NORM function in [the] LZMA decoder. Instead, 7-Zip contains the RC_NORM macro in the LZMA encoder and PPMD decoder. Therefore, the LZMA decoding code does not call RC_NORM. And the claim about RC_NORM in the exploit comment is not true.”
We have no reason not to believe that what Pavlov says is true: 7-Zip is open source, for starters, so anyone can verify his claims.
And while we’re not going to name the Twitter user responsible for spreading the rumor, nor link to the tweet, we would say that it sounds like a cowardly attempt to get attention on the Internet – inconceivable, we know – given that the user claims to be doing a week-long 0-day software presentation as a “thank you to all the new followers.”
It sounds like the stormiest cup of tea you could imagine, but maybe you’ll hear from us again in a week.
