Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Longstanding Security Vulnerability Found in LZO Compression Algorithm

A serious security hole that has been plaguing the Lempel-Ziv-Oberhumer (LZO) algorithm for the past 20 years has been finally patched.

A serious security hole that has been plaguing the Lempel-Ziv-Oberhumer (LZO) algorithm for the past 20 years has been finally patched.

The LZO algorithm was created in 1994 by Markus Oberhumer, whose core open source implementation has been rewritten by numerous companies. LZO has been used for compression and decompression in various software applications, including OpenVPN, MPlayer2, Libav, FFmpeg, the Linux kernel, Android, iOS and even in the embedded systems that power NASA’s Mars Curiosity Rover.

The details of the vulnerability were disclosed on Thursday by Don A. Bailey, founder and CEO of Lab Mouse Security, who explained that all implementations, including the recent LZ4 which is used in Solaris and FreeBSD, inherited a “subtle” integer overflow vulnerability that could lead to denial-of-service (DoS) and even remote code execution.

“Each variant of the LZO and LZ4 implementation is vulnerable in slightly different ways. The attacker must construct a malicious payload to fit each particular implementation. One payload cannot be used to trigger more than a DoS on each implementation. Because of the slightly different overflow requirements, state machine subtleties, and overflow checks that must be bypassed, even a worldwide DoS is not a simple task,” Bailey said in a blog post.
“This results in completely different threats depending on the implementation of the algorithm, the underlying architecture, and the memory layout of the target application. Remote Code Execution (RCE) is possible on multiple architectures and platforms, but absolutely not all. Denial of Service is possible on most implementations, but not all. Adjacent Object Over-Write (OOW) is possible on many architectures,” he added.

According to Bailey, his company has contacted vendors who use the vulnerable algorithm and they’ve all provided patches for their products. Lab Mouse has published only limited technical information on the flaw to give users time to patch their installations.

Trey Ford, global security strategist at Rapid7, noted that the LZO algorithm vulnerability can be exploited for remote code execution only in certain circumstances  ̶  for instance, the attacker needs to include malicious code in a file that’s accessed through a vulnerable system.

“You’re not looking at sites like YouTube or Vimeo here, more like direct peer-to-peer content sharing,” Ford told SecurityWeek. “LZO compression is used all over the place. You will find it in practically all variants of Linux including Solaris, iOS and Android, so the impact of this vulnerability will likely be extremely widespread, affecting servers, desktops, laptops, phones – almost anything you might view a video on.”

Advertisement. Scroll to continue reading.

The expert advises consumers to apply patches for video players, plugins and converters as soon as possible, and in the meantime avoid running video files unless really needed. In addition, users are recommended to refrain from visiting websites that auto-run video.

“For businesses, there is potential for mail gateway AV scanners to be the greatest threat, and it looks like 8 out of the top 53 AV solutions on VirusTotal are currently showing they can decode the LZ4, potentially opening the door to exploitation.  IT departments should prioritize a patching strategy.  We may also see this impact compression archive utilities and anti-virus tools, only time will tell. In a matter of time attackers will have both Denial of Service capabilities, and in some cases the ability to execute code remotely,” Ford said.

 “The frustrating thing is that this will likely be another textbook case of slow patching for embedded and consumer devices putting people at further risk for longer. Keep an eye open for mobile phone updates – I am particularly concerned about Android devices that have carrier controlled patch cycles.  For all users receiving ‘click here to see this video’ messages, that click just got scary.”


Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.