Dangerous 7-Zip Vulnerabilities Flow To Top Security, Software Tools

mask.of.sanity quotes a report from The Register: Some of the world's biggest security and software vendors will be rushing to patch holes in implementations of the popular 7-Zip compression tool to stop attackers gaining full control of customer machines. Marcin Noga, Cisco security researcher, found and reported the holes to the platform, which could allow attackers to compromise updated machines, giving attackers the same access rights as logged-in users. FireEye and MalwareBytes are two of many products that use 7-Zip. "An out-of-bounds read vulnerability exists in the way 7-Zip handles Universal Disk Format files ... [which] can be triggered by any entry that contains a malformed Long Allocation Descriptor," Colleague of The Register Jaeson Schultz said. The flaws were fixed in 7-Zip 16.00, which was released Tuesday.

Re:Big pile of mess to clean up

[110010001000]

"catched it"? Your spell checker should have caught that one.

Re: Big pile of mess to clean up

[viperidaenz]

Or Parsey McParseface

"user permissions" != "full control"

[gweihir]

Al least in any sane system, and Windows has started, a few decades late, to use sound OS design practices. So no, not "full control".

Re:"user permissions" != "full control"

[aberglas]

The myth of root is just that. The days of lots of people sharing the one client computer are long gone. For PCs, most of the good stuff is accessible in user mode. All the documents, email etc.

Re:"user permissions" != "full control"

[johannesg]

What "sound design practices" would those be? As far as I can tell, the choice is still either full denial (resulting in not being able to use the software), or the keys to the kingdom (based on whether you trust that the developer is kosher and his website has not been compromised). There is no middle ground - "install this, but keep it locked in a sandbox".

And Linux is just as bad. So what if the OS protects itself from the users? The OS has literally zero value; if it gets wiped, it's 30 minutes work to rebuild it from scratch, less if you made an image. It's the _data_ that is on the machine, completely unprotected by all those clever permission schemes, that will be lost if any compromised software is allowed to run. If you run "rm -rf /", you remove precisely all the files anyone cares about.

The Linux permission schema was designed when computers were hulking beasts that shared limited resources between many users that needed protection from each other. We then moved through personal (i.e. single user) computers where such protection is of limited use, to today's practice of having each application running in a container - providing data protection in the form of a kind of meta-OS, since the main OS is clearly just not capable enough.

The whole thing, whether in Windows or in Linux, is just one big clusterfuck of endless wasted effort solving entirely the wrong problem.

Re:"user permissions" != "full control"

[gweihir]

My take is more that the problem is people not understanding the permission system. Used right, it works pretty well. The whole container-thing comes from people not understanding how to isolate things using the classical UNIX model (and software distributed as binary, of course). Incidentally, containers make you _less_ secure against a competent attacker as they add additional ways to compromise the system and disregard KISS, while pretending otherwise.
 

Re:"user permissions" != "full control"

[fuzzyfuzzyfungus]

I suspect that part of the concern is that 7zip is sometimes found in program installers, which typically do run with elevated permissions. Those are also the places where obsolete versions are probably going to remain embedded forever unless the vendor cares atypically much about fixing them.

It'll be harder to trick an installer to chew on a suitably malformed file, compared to a user just using 7zip; but if you can manage it, you get a nice, handy, elevated context.

Re:"user permissions" != "full control"

[Insightfill]

Al least in any sane system, and Windows has started, a few decades late, to use sound OS design practices. So no, not "full control".

I haven't had "full control" of my Windows computer in a while. Maybe I can use this 7zip vulnerability to get something back from this beast of Windows 10.

Re:Version 16?

"7-Zip uses YEAR.REVISION scheme for version numbers."
https://sourceforge.net/p/sevenzip/discussion/45797/thread/a8fd6078/#1a6c/4be3/04ce

Re:Big pile of mess to clean up

Except even very skilled and organized coders makes bugs, even if less frequently, which means security bugs sometimes come in groups and sometimes not...

Re:So how do you open ZIP files these days?

[Tapewolf]

So, when installing a new machine, how do you choose to open zip files? Winzip has that irritating registration screen, Windows native zip opening lacks features, 7zip sucks too, so what do people use these days that's free and downloadable?

I doubt there are many implementations of 7zip out there. Chances are anything which can open a .7z file does so by using 7zip's SDK. It's public domain, so there's no reason not to unless you're working in a language that can't link to C libraries.

Re:So how do you open ZIP files these days?

What sucks about 7zip?
That's what I use exclusively.

Re:Big pile of mess to clean up

[silentcoder]

The astonishing thing is that after 3 decades of stack-crashing causing more security bugs than any other type - there still isn't a native array/hash/list type added to C.
One can sanely argue that there are genuine cases where C's freedom to do almost anything is both needed and wanted - but how does that preclude giving sane, one-place-fixable standard data types for common tasks which you can deviate from only when you do, in fact, have to ?

Sure there are implementations of such in some libraries - but the moment you go there your programs portability and shippability is suddenly dependent on those of the library. This is the kind of functionality that ought to have been in ANSI-C decades ago so you could use it, and compile with any standards compliant compiler on any platform without fear.

Re:Big pile of mess to clean up

[TheRaven64]

The astonishing thing is that after 3 decades of stack-crashing causing more security bugs than any other type - there still isn't a native array/hash/list type added to C.

There is, but the resulting language is called C++. The type system of C doesn't allow you to have container-of-X, where X is some other type, constructs without resorting to macros. A lot of systems (including Windows NT and Linux) use derivatives of the 4BSD headers for this, but they use a container-of pattern that involves casting from a pointer to member to a pointer to the outer structure in a way that depends on explicit casts and makes it easy to accidentally violate type safety.

Re:So how do you open ZIP files these days?

"7zip sucks too"

Totally disagree.

On Windows it is the best compression tool (all impressive merits of the 7z format aside) simply because it does exactly what you want: installs windows shell commands, which really are invaluable:

  - Right click a folder and choose "Add to xxxx.7z" to make a 7z archive (last used settings) or "Add to xxxx.zip" to make a zip file (last used settings) or "Add to Archive" to bring up the options and customize everything. There are shell commands for sending via email, but I don't use those myself.

  - Right click any archive file and choose "Extract to ...." to dump the contents into a folder in the current directory. There is another option to bring up a dialog and choose where to put the contents.

At the end of the day, 99.9999% of archive management is covered by these few commands and they really just get the job done.

It's as nice as right clicking a folder of MP3s and choosing "Play in Winamp". It was good that this was added to VLC, but I also see that Microsoft copied this and now I have an annoying "Play in Windows Media Player" option there as well. I *know* I can get rid of it, but life's too short.

Re:So, ... was this a responsible disclosure

[Mister+Transistor]

Um, last line (it's hard to concentrate that long, I know...) of TFA:

"The flaws were fixed in 7-Zip 16.00, which was released Tuesday."

Badly worded

[DrYak]

7z is a software used to manipulate archives in numerous format (including a few obscure format - one of the most compatible on the market).

Lots of security software like antivirus need to be able to process archives (e.g.: an antivirus needs to scan all the files packaged into a ZIP archive).
Some of these security software use 7z as an archive engine.

7z has a vulnerability when unpacking a specially crafted archive.
This flaw will extend to security sofware that rely on 7z as a component to help them handle archives.

Hence "Dangerous 7-Zip Vulnerabilities Flow To Top Security, Software Tools"

By sending an e-mail with a specially crafted ZIP file attachment, you can b0rk the mail server using an exploit that affects the antivirus in charge of scanning incomming attachments, because that antivirus relied on 7z.

That means