Dangerous 7-Zip Vulnerabilities Flow To Top Security, Software Tools

mask.of.sanity quotes a report from The Register: Some of the world's biggest security and software vendors will be rushing to patch holes in implementations of the popular 7-Zip compression tool to stop attackers gaining full control of customer machines. Marcin Noga, Cisco security researcher, found and reported the holes to the platform, which could allow attackers to compromise updated machines, giving attackers the same access rights as logged-in users. FireEye and MalwareBytes are two of many products that use 7-Zip. "An out-of-bounds read vulnerability exists in the way 7-Zip handles Universal Disk Format files ... [which] can be triggered by any entry that contains a malformed Long Allocation Descriptor," Colleague of The Register Jaeson Schultz said. The flaws were fixed in 7-Zip 16.00, which was released Tuesday.

Re:Big pile of mess to clean up

Except even very skilled and organized coders makes bugs, even if less frequently, which means security bugs sometimes come in groups and sometimes not...

Re:"user permissions" != "full control"

Except Linux has permission escalation bugs that can turn user permissions into root permissions, and those bugs are not given very high priority.

Re:"user permissions" != "full control"

[aberglas]

The myth of root is just that. The days of lots of people sharing the one client computer are long gone. For PCs, most of the good stuff is accessible in user mode. All the documents, email etc.

Re:Big pile of mess to clean up

[silentcoder]

The astonishing thing is that after 3 decades of stack-crashing causing more security bugs than any other type - there still isn't a native array/hash/list type added to C.
One can sanely argue that there are genuine cases where C's freedom to do almost anything is both needed and wanted - but how does that preclude giving sane, one-place-fixable standard data types for common tasks which you can deviate from only when you do, in fact, have to ?

Sure there are implementations of such in some libraries - but the moment you go there your programs portability and shippability is suddenly dependent on those of the library. This is the kind of functionality that ought to have been in ANSI-C decades ago so you could use it, and compile with any standards compliant compiler on any platform without fear.

Re:So how do you open ZIP files these days?

"7zip sucks too"

Totally disagree.

On Windows it is the best compression tool (all impressive merits of the 7z format aside) simply because it does exactly what you want: installs windows shell commands, which really are invaluable:

  - Right click a folder and choose "Add to xxxx.7z" to make a 7z archive (last used settings) or "Add to xxxx.zip" to make a zip file (last used settings) or "Add to Archive" to bring up the options and customize everything. There are shell commands for sending via email, but I don't use those myself.

  - Right click any archive file and choose "Extract to ...." to dump the contents into a folder in the current directory. There is another option to bring up a dialog and choose where to put the contents.

At the end of the day, 99.9999% of archive management is covered by these few commands and they really just get the job done.

It's as nice as right clicking a folder of MP3s and choosing "Play in Winamp". It was good that this was added to VLC, but I also see that Microsoft copied this and now I have an annoying "Play in Windows Media Player" option there as well. I *know* I can get rid of it, but life's too short.

Re:So how do you open ZIP files these days?

WinRAR does all that, but better.