Dangerous 7-Zip Vulnerabilities Flow To Top Security, Software Tools

mask.of.sanity quotes a report from The Register: Some of the world's biggest security and software vendors will be rushing to patch holes in implementations of the popular 7-Zip compression tool to stop attackers gaining full control of customer machines. Marcin Noga, Cisco security researcher, found and reported the holes to the platform, which could allow attackers to compromise updated machines, giving attackers the same access rights as logged-in users. FireEye and MalwareBytes are two of many products that use 7-Zip. "An out-of-bounds read vulnerability exists in the way 7-Zip handles Universal Disk Format files ... [which] can be triggered by any entry that contains a malformed Long Allocation Descriptor," Colleague of The Register Jaeson Schultz said. The flaws were fixed in 7-Zip 16.00, which was released Tuesday.

Re:"user permissions" != "full control"

[johannesg]

What "sound design practices" would those be? As far as I can tell, the choice is still either full denial (resulting in not being able to use the software), or the keys to the kingdom (based on whether you trust that the developer is kosher and his website has not been compromised). There is no middle ground - "install this, but keep it locked in a sandbox".

And Linux is just as bad. So what if the OS protects itself from the users? The OS has literally zero value; if it gets wiped, it's 30 minutes work to rebuild it from scratch, less if you made an image. It's the _data_ that is on the machine, completely unprotected by all those clever permission schemes, that will be lost if any compromised software is allowed to run. If you run "rm -rf /", you remove precisely all the files anyone cares about.

The Linux permission schema was designed when computers were hulking beasts that shared limited resources between many users that needed protection from each other. We then moved through personal (i.e. single user) computers where such protection is of limited use, to today's practice of having each application running in a container - providing data protection in the form of a kind of meta-OS, since the main OS is clearly just not capable enough.

The whole thing, whether in Windows or in Linux, is just one big clusterfuck of endless wasted effort solving entirely the wrong problem.

Re:"user permissions" != "full control"

[gweihir]

My take is more that the problem is people not understanding the permission system. Used right, it works pretty well. The whole container-thing comes from people not understanding how to isolate things using the classical UNIX model (and software distributed as binary, of course). Incidentally, containers make you _less_ secure against a competent attacker as they add additional ways to compromise the system and disregard KISS, while pretending otherwise.