7-Zip compromised

[Diggs]

I've used 7-Zip quite a bit over the years. Now I need to re-examine which machines still have it installed. Remember - Just because you never installed 7-zip doesn't mean you are not affected. 7-Zip is built into many things including Malwarebytes....

http://www.theregister.co.uk/2016/0...ed_pain_flows_to_top_security_software_tools/

 

[nlinecomputers]

Nothing to see here folks. Just the National Enquirer of the tech news world blowing up something out of whack. You can only trigger this with UDF files. Not ZIP or 7z files or even ISO files. Yes, it is a serious bug but the circumstances where it can be implemented is very narrow.

 

[nlinecomputers]

The second one is a bit wider as it involves HFS+ and files that can be stored in that file system as compressed.

 

[TechLady]

Nothing to see here folks. Just the National Enquirer of the tech news world...

LOL

 

[NJW]

You can only trigger this with UDF files. Not ZIP or 7z files or even ISO files. Yes, it is a serious bug but the circumstances where it can be implemented is very narrow.

I'm not sure that it's so easily dismissed. The point is, that 7zip doesn't check filenames, so a malicious UDF file can be renamed .7z. As one of the comments to the Register article explains:

The problem is that an attacker can craft a malicious 7zip archive which will make the 7zip process (either the stand-alone version or integrated as library code in some other product) execute whatever code the attacker wants, with the same privileges as the 7zip process.

This is somewhat dangerous for the stand-alone 7zip: somebody can mail you a .7z file and ask you to decompress it. If you do, you get p0wned.

However, more dangerous is other products receiving and decompressing .7z files automatically. For example, a virus scanner which might want to open the .7z archive to check the contents for malware!

It's embedded versions of 7zip that are potentially problematic as they can't be updated independently, so users are at the mercy of the vendor.

 

[ComputerRepairTech]

uh oh what about any automatic extracting downloaders like newsgroup clients, torrent clients, etc etc. I bet at least some of them use 7zip.

 

[TechPJC]

http://www.ghacks.net/2016/05/13/7zip-vulnerability-affects-security-software/

 

[ComputerRepairTech]

I dont see how security software running is nearly as big of a deal as auto extractors on download tools. To exploit a vulnerability in security software running 7zip extraction malware would have to be created to look for that particular implementation and get the program to attempt the extraction which doesnt seem near as likely to happen as mass distribution of 7zip exploits through newsgroups and torrents.

 

[ComputerRepairTech]

I just confirmed sabnzbd has 7zip implemented, of course you can just delete the 7za executable but until they do that they are at risk.

Edit: I mean as far as I know they are at risk.

 

[ComputerRepairTech]

This is pretty serious assuming i'm right. If I was a malware author I would be able to compromise thousands upon thousands of tech savvy users by targetting auto downloaders for tv shows and movies. Once they are compromised it wouldn't be difficult to compromise their friends assuming they are infact tech savvy and their friends know that.

 

[BadPointer]

I'm the developer of Snappy Driver Installer and since the tool has 7z support(via LZMA SDK) to extract drivers from 7z archives, I investigated the report myself.

It should be noted that applications are adding support for 7-zip format by linking a library named LZMA SDK rather than trying integrate the full- fledged 7-zip manager. LZMA SDK supports only 7z and some other basic formats such as zip. UDF and other advanced stuff isn't a part of LZMA SDK.

I checked the source code of LZMA SDK and it turned out that it doesn't even include the files(HfsHandler.cpp, UdfIn.cpp) which were affected by the vulnerability.

The issue mostly affected 7-zip manager and tools that were using 7za.exe. As for applications that’re using LZMA SDK, they were never affected.

Either way, the vulnerability was patched in 7-zip 16.0, so users only have to update their 7z managers, replace 7za.exe with the new version and move on. I'm glad these these issues are addressed and aren't swept under the rug but the media blows it out of proportion. It's like asking users to stop using browsers because they were had a vulnerability at some point even though it was patched before hackers were able to exploit it.