• Is it time to give up on 7-Zip?

    I’ve been a 7-Zip fan for, like, forever. That’s why it pains me to report that several people — people who know what they’re doing — are taking 7-Zip to task for failing to keep up with key security features.

    On Jan. 28, I posted an article on Computerworld titled Multiple vulnerabilities in 7-Zip. Get it updated now!

    I thought that Igor Pavlov’s new release, version 18.01, took care of the major security problems. I was wrong.

    The core of the problem: Pavlov refuses to add ASLR (Address Space Layout Randomization) to the product, and won’t compile 7-Zip with the /GS Buffer Security Check flag. (Good overview of both technologies on the ISV Software Security page.)

    This was part of landave’s original complaint:

    I have discussed this issue with Igor Pavlov and tried to convince him to enable all three flags. However, he refused to enable /DYNAMICBASE [the ASLR flag] because he prefers to ship the binaries without relocation table to achieve a minimal binary size. Moreover, he doesn’t want to enable /GS, because it could affect the runtime as well as the binary size.

    So how bad is it? Microsoft Security Response Center engineer (not speaking in an official capacity!) Joseph Bialek says:

    What year is it @7zip ?? You guys still running on 90’s hardware??

    Stefan Kanthak, whom I quoted in the Computerworld Microsoft is distributing security patches through insecure HTTP links article, says in a private message:

    [7-Zip’s] INSECURE shell extension is loaded into explorer.exe, and allows an attacker to leverage its MULTIPLE shortcomings. For example Sun/Oracle made such a blunder when they deployed an outdated MSVCRT71.dll with their Java Runtime Environment, which allowed attackers to take advantage of its flaws.

    I’m not so concerned about individual, manual use, but the incorporation of 7-Zip binaries into other packages. An anonymous poster here on AskWoody came up with a long list of other packages that rely on 7-Zip, including WinRAR, Flash, and some .NET applications.

    I’m not yet ready to throw my copy of 7-Zip in the bit bucket. But I wonder if that’s just inertia.