![]() |
MS-DEFCON 2:
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it.
|
-
Is it time to give up on 7-Zip?
Home › Forums › AskWoody blog › Is it time to give up on 7-Zip?
This topic contains 97 replies, has 26 voices, and was last updated by
Steve 4 months, 1 week ago.-
AuthorPosts
-
I’ve been a 7-Zip for for, like, forever. That’s why it pains me to report that several people — people who know what they’re doing — are taking 7-Z
[See the full post at: Is it time to give up on 7-Zip?] -
I don’t mean to be conspiratorial, but whenever I read that the author of a program like 7/Zip refuses to include essential security features in his product, I wonder if he was told not to include these features.
I have discussed this issue with Igor Pavlov and tried to convince him to enable all three flags. However, he refused to enable /DYNAMICBASE [the ASLR flag] because he prefers to ship the binaries without relocation table to achieve a minimal binary size. Moreover, he doesn’t want to enable /GS, because it could affect the runtime as well as the binary size.
From what I have heard many times, the US government (specifically the NSA) pressures companies to include back doors in their products.
Group "L" (Linux Mint)
with Windows 8.1 running in a VM-
Fascinating. It never crossed my mind. But now that you mention it…
-
He he, there are always other interested organizations in this sort of stuff, not only NSA.
The issue with the backdoors is that sooner or later, all those interested will find out and use those backdoors, not only the original sponsor. Sometimes even “script kiddies” take advantage when the backdoors are made public and the systems do not keep up with patching.
While it is not clear if those backdoors are allowed on purpose in the first place, based on current information it is safe to assume so.5 users thanked author for this post.
-
-
If not 7-Zip, then what other program that does what 7-Zip does AND doesn’t contain the security holes about which you are concerned? (Redundant of post entered before logging in and tagged as anonymous.)
2 users thanked author for this post.
-
From what I’ve read, 7-ZIP would not need to be replaced. It’s open-source, so anyone can recompile the source code with the added security. And EMET or Windows Exploit Protection may be able to provide sufficient protections if you are running the most up to date versions of 7-ZIP. In Linux, there’s AppArmor, which may be able to add similar protections to PeaZIP (which is based on the 7-ZIP binaries). I am not a security or coding expert, but it seems a fix could be developed and released as a derivative or fork of 7-ZIP. I doubt the author of 7-ZIP would object, as long as he gets due credit.
-- rc primak
-
This reply was modified 11 months, 3 weeks ago by rc primak.
-
How many regular users will know how to recompile the source code with the added security? How many will even think about these issues? The “regular folks”, who aren’t even aware of these issues, let alone capable of addressing them, are the ones I am concerned about.
Group "L" (Linux Mint)
with Windows 8.1 running in a VM1 user thanked author for this post.
-
Regular folks would not be aware of the need, or even know what it means to compile something… but if that’s really all it takes, someone out there could take the open-source code and simply compile it with the new compiler directives, and make that compiled product available to the public.
It’s kind of how I believe Waterfox got started… years ago, Mozilla did not offer any official 64-bit builds of Firefox for Windows, so MrAlex94 began to build the Firefox source into 64-bit binaries, so that end users who don’t have the resources or desire to compile it themselves can still benefit. I’m not sure what Mozilla’s reasoning was; they already offered 64-bit versions for Mac and Linux, and from the first moment I tried Waterfox (which only existed in 64-bit form) in Windows, it was more stable than 32-bit Firefox by far.
Now that Mozilla offers 64-bit Windows binaries, the focus of Waterfox has shifted, but in the beginning, it was all about it being compiled differently. The same could apply to 7-Zip, if there is any real demand for it.
Group "L" (Kubuntu 18.10)
1 user thanked author for this post.
-
Regular users are more vulnerable because they are likely to search on ‘7-zip’ and download the first search return. This is likely to be 7-Zip and not a derivative. Technically adept users aware of the problem are likely to seek an alternative. As Ascaris noted, someone else could take on the chore of making the necessary changes and compilation and release it to the public so hopefully very few would ever actually do the compilation on any OS.
-
-
This reply was modified 11 months, 3 weeks ago by
-
So I asked Stefan if he had a good alternative to 7-Zip, and this is what he said:
Windows (since ’95) NATIVE archive format .CAB: without delta compression it compresses almost as good as .7z, and with delta compression it performs BETTER than .7z.
Additionally .CAB archives can be digitally (authenticode) signed, which no other format offers (except .ZIP when used for OOXML or OpenXML format files), and both Windows’ SetupAPI and Windows, er, Microsoft Installer as well as the “component based servicing” can process their contents without unpacking the whole archive.
Unfortunately Microsoft does not offer to create .CAB archives in Windows Explorer; users need to call MAKECAB.exe on the command line or use IEXPRESS.exe.
So: .CAB for incoming files, especially installer packages (.MSU are .CAB archives, they just have another extension; .MSI and .MSP contain their payload as .CAB archives, as well as the self-extracting installers provided by Microsoft), and .ZIP for outgoing archives.
Developers and vendors should ALWAYS use and support the NATIVE archive format of the target OS, they should NEVER force their users/customers to install additional software to access or use files they distribute.
The arguments from https://skanthak.homepage.t-online.de/!execute.html apply here too: ALWAYS use the NATIVE format of the target OS, NEVER expect or force your users to jump through loops to access or use what you distribute. People who send/distribute .7z, .RAR, .ARJ or other “strange” formats to Windows users don’t want them to use what they provide.
That’s basically the KISS principle: keep it simple for your users, SAVE them from all possible hassle and additional vulnerabilities, be it “strange” archive formats or executable installers/self-extractors, which are almost always vulnerable, and seduce people to EXECUTE anything they get.
What do you think?
-
anonymousBefore there were CABinet files for general public use, ZIP files became the standard for DOS (ACE, ZOO, ARJ & and a few others were competition). Many more people may know how create and extract the .ZIP file extension contents so it is better to use that for most cases if you do not wish to explain yourself. 🙂
The ability to sign a .CAB file, an advantage if the distributor of the package is honest.
-
anonymousWOW!, ARJ Software still exists and on the FAQ page question ‘k’ makes it clear there is another signed archive format.
-
Am I being thick(er)?
I’ve “always” used Windows built-in function for both opening and creating zip files.
What am I missing here?
https://support.microsoft.com/en-us/help/14200/windows-compress-uncompress-zip-files
-
anonymousWhat Stefan would want you to do is use Microsoft’s native CABinet archive file format with Windows. Stefan is blind to the fact the IExpress utility & makecab programs aren’t widely known by most people to make a .CAB archive. There maybe too few to none other than Microsoft’s programs that can could make one. CAB files are still mostly a Microsoft internal use product.
Microsoft were wise to add .ZIP capabilities to explorer in part because of its ubiquity, it has been widely known since approximately the latter half of the 1980s. So you can ignore the advice for Windows. For GNU/Linux, Unix he generally right because many files are TARed & GZipped for distribution.
Did this clarify or create befuddlement in your brain?
1 user thanked author for this post.
-
-
Encryption is one of the two issues here, that is, the ability to encrypt a document so as to prevent unauthorized people from reading it, because the author chose not to include the more secure encryption in 7Zip.
The other issue is the ability of someone to tamper with your zipped document.
WinZip has excellent encryption. So using WinZip would address both of these concerns.
Group "L" (Linux Mint)
with Windows 8.1 running in a VM-
The 7-Zip author has added the stronger AES-256 encryption as an archive option for the .zip format. ZipCrypto is the default, but if you choose the dropdown menu selector for ‘encryption method’, you will see that both choices are available.
AES-256 is the only encryption method choice for the .7z format.
-
In the original post, Woody put the following quote:
I have discussed this issue with Igor Pavlov and tried to convince him to enable all three flags. However, he refused to enable /DYNAMICBASE [the ASLR flag] because he prefers to ship the binaries without relocation table to achieve a minimal binary size. Moreover, he doesn’t want to enable /GS, because it could affect the runtime as well as the binary size.
Are you saying that these are not valid security concerns?
Group "L" (Linux Mint)
with Windows 8.1 running in a VM -
That referenced lack of security was in regard to using 7-Zip as a Windows shell extension, and somebody possibly exploiting that.
The AES-256 encryption method is not related to that vulnerability and should not be affected.
Two different issues.
-
-
-
In their ivory towers, experts may have opinions, but the fact is that tools such as 7-zip that open a large variety of formats are needed because the OS simply doesn’t provide native support for all the formats.
Ever download a .tar.gz file from, say, an open source library site? It’s in that format because (surprise) the world doesn’t revolve around Microsoft. I assume the answer will be yes as it is for so many of us. If so, what did you use to open it?
And regarding “native” support for .CAB… The underlying SDK APIs to access CAB files were already outdated at the turn of the millenium. Now they’re positively ancient. I know because we’ve coded software to create .CAB files to contain submitted error reports recently.
I have to ask: Are a lot of people being infected by 7-zip? “Theoretical” vulnerabilities do serve to help people improve products, but is 7-zip really proving worthy of such worry?
-Noel
-
-
Delta compression cab or better known as Intra Package Delta is an exclusive for Microsoft updates, it’s not available in Windows and no one can create it but them
as i pointed, even Microsoft uses 7z library to pack .NET executable updates
-
-
7Zip exploit protection settings recommendation
https://malwaretips.com/threads/7zip-exploit-protection-settings-recommendation.76887/
(etc) …
That was me, in the below Anonymous Posting (#171747)
— rc primak —
-- rc primak
-
This reply was modified 11 months, 3 weeks ago by rc primak.
-
anonymousbut the last post in your cited link is from last year
what about version 18 this year?
-
Comment from landave: “While mandatory ASLR is a nice feature (and will be supported by Windows 10 even without EMET), it will not work for binaries with stripped relocation table. Igor seems to do exactly this to reduce the size of the binary.
Also, EMET cannot give you stack canaries if the binary is not compiled with /GS.”
3 users thanked author for this post.
-
This reply was modified 11 months, 3 weeks ago by
-
RC Primak7Zip exploit protection settings recommendation
https://malwaretips.com/threads/7zip-exploit-protection-settings-recommendation.76887/
So, with either EMET or Exploit Guard, MS Windows can be configured to make 7-ZIP adhere to the recommended security protocols. So what’s the flap about?
In Linux, AppArmor can provide similar protection to PeaZip, which is based on 7-ZIP’s binaries.
Or you can go out, get the binary’s source code, add ASLR and other security .dll’s (or whatever Linux uses), and recompile your own secure version of 7-ZIP and PeaZIP. And if anyone does this, hopefully they will share the resulting package with the rest of us.
-
I just got a new box. How do I install EMET?
Thank you.
Morty
-
-
anonymousThankfully it is open and people with knowledge can recompile it to their liking. 7-zip compression is used in software deployment, hopefully the software engineers will see have this and do what is necessary to make it a little more secure.
Their are not many software solutions that can compress like 7-zip. 🙁
1 user thanked author for this post.
-
anonymous-
The power went out at my office just about the time that you posted with “their”. Does that count? 😉
1 user thanked author for this post.
-
-
-
7 Zip wow haven’t used that in a while. I remember it being included in some HP PC if I am not mistaken. These days I just use the built in unzipper in Windows 10 for what I need. Its not unfamiliar to me though, plenty of PC’s I work on still have it installed.
1 user thanked author for this post.
-
These days I just use the built in unzipper in Windows 10 for what I need.
I know what you mean; for ad hoc compression and decompression of .zip files I often do the same.
But it’s really just another case where a convenient, mediocre solution eclipses an elegant one.
I’m reminded of the scene in the film “Contact”, where the “Bill Gates” like character H. R. Hadden is explaining to Dr. Eleanor Arroway that the alien culture is highly advanced, which of course means “efficient functioning on multiple levels”.
How is anything that’s actually happening in our real world taking us toward that ideal?
-Noel
-
anonymouscan you do a compressed file preview without 7zip in w10?
-
anonymousYou should be able to double click a ZIP archive and see file and navigate the contained directory structure. I think using Windows explorer you have to decompress a single file somewhere else to view the contents.
-
-
-
@jescott418 yep same here The only piece of crudware that came to me with a brand new HP machine that I ever liked or kept, OS excepted.
What’s not to like about 7zip its fast, its a one stop deal for me with zip handling, if 7zip cant do it then its probably not worth doing. The only limitations with it I can see is it doesent go and get me a cold Beer out the fridge and brew a nice cup of tea, maybe later versions eh Igor?
-
-
anonymousThat just sucks. I use 7-zip to compress things into RAR and 7z files (For ZIP files, File Explorer does the job just fine), and I shun other programs like WinZIP and WinRAR because why have a zillion programs to do the same thing when one can do it all (without ads and without the annoying trial period popup in WinRAR)?
I guess the other awesome thing about 7-Zip is that it’s open source, but that doesn’t mean an awful lot to non-programming experts like me, other than the reassurance that the code lives on when the coder moves on.
-
While I appreciate the news in the first place, I think that there is an over-reaction here. There are enterprise products which still do not implement ASLR or recommend disabling it for performance reasons, so targeting 7-zip here is unfair at least. There are boundaries to what is and what is not a critical security issue. And the fact that a Microsoft rep recommends implementing Microsoft security technologies built-in Windows is not something new. It is certainly preferable to have those technologies in place, but the lack of them does not inherently make a product insecure.
-
My first thought on this is that maybe the author knows more about what he’s doing than the folks “pressuring” him to enable switches that may have downsides.
Imagine, for example, a compile/link switch that makes the code measurably less efficient, but does not really provide any substantial benefit when considering how the product actually works. Who would want such a switch thrown? Those who would benefit from selling people new hardware?
It is my considered opinion that computer security, as discussed by the public, is more marketing and hype than substance.
-Noel
-
-
So glad to see someone finally mention Winzip. I’ve used Winzip for decades myself with no problems, and it is compatible with most other compression programs, Windows included. It’s not free, but you can still use it after the trial period.
Win 7 Home Premium, x64, Intel i3-2120 3.3GHz, Group B
-
-
anonymousAnyone caught by the ridiculous security hysteria spread by utterly useless zealots and talking-heads should download the 7-Zip source code, fix all security bugs, if any, apply the ‘security’ compiler switches recommended by Microsoft (even if Microsoft does not compile quite a number of their own executables with those switches — just look at Windows 10, the ‘most secure’ Windows…), and compile 7-Zip… And… the folks at Microsoft better shut up…
1 user thanked author for this post.
-
I really like 7-Zip, having used it reliably since XP days.
Would using 7-Zip in a sandbox or VM allow you to check for any malware in the files being opened before moving them to your system? I really like the concept of Qubes OS, where your operating system is separate from the program running in it, and you can separate out the different programs, too. It doesn’t have the novice user friendliness of Windows or Linux Mint, but the idea of not letting programs run promiscuously with your OS really appeals to me for basic safety and security reasons.
Do other products do the same thing, or have they incorporated fixes? I’d hate to move from one product that has been checked closely, to another product that looks better, because no one bothered to check it out yet.
Win 7 Home, 64 bit, Group B
-
I find this interesting, but am not sure I understand the following:
“I really like the concept of Qubes OS, where your operating system is separate from the program running in it”
Does this mean those programs are not allowed to make system calls? Or is it something else?
-
@OscarCP-
As this is getting off topic of 7-Zip… may I refer you to ‘An Introduction to Qubes OS’: https://www.qubes-os.org/intro/
I don’t have the technical answers… but the concept of running everything in separate compartments, but easily available on the desktop, appeals to me. I can put the programs I run in separate Qubes with individualized security settings. They utilize single use, disposible Qubes for opening attachments. Exactly how that is done is beyond me, but Qubes is showing up frequently in searches for the best security based Linux distros.
It is one of the free and open source distros I am exploring prior to end of life for Win 7. I’d be interested in a more detailed, techy take on this. This might be a subject to open in the Linux for Window Wonks forum.
Win 7 Home, 64 bit, Group B
-
Thanks Elly. The link in your reply to my question makes things more clear: various types of applications run on their own and separate virtual machines (VMs), called “qubes”, and these run, in turn, on a Linux-type OS that does not talk to the outside world (except, I imagine, through the keyboard and mouse of the superuser), only the qube VMs do. This makes it, somehow, very hard to infect this submarine OS with malware that comes in from the Internet or some contaminated media in disks or USB memory sticks, etc. All that will go into some qube or qubes instead, where it can be contained by putting in quarantine the infected qube.
This looks like something worthy of further discussion in one of the Linux streams at Woody’s, particularly for those of us looking for alternatives to Windows 7, when it reaches its end of life in less than two years from now.
1 user thanked author for this post.
-
@ OscarCP- That gives a pretty good description of how Qubes is set up… thank you, as it helped me visualize it better in my own mind.
Win 7 Home, 64 bit, Group B
-
-
-
-
The problem with 7Zip is that the encryption is not very strong. Therefore the danger is, if you email a sensitive document that has been encrypted by 7Zip, the encryption could be broken and the document read by a non-authorized person.
Strong encryption would allow you to zip any document, encrypt it, and email it, without having to worry about anyone being able to read it.
WinZip has strong encryption. I use it whenever I have to send a sensitive document. But based on this article, I won’t be using 7Zip.
I like the idea behind Qubes – a separate, isolated sandbox for each OS you want to run; but I never could figure it out, so I finally uninstalled it.
Jim
Group "L" (Linux Mint)
with Windows 8.1 running in a VM-
Thank you for translating what those problematic processes actually do. I respect encryption, and believe in privacy, so that would be important for me.
You have been experimenting with Linux, too… I have difficulty determining whether it is myself, or the OS that is lacking… and tend to blame myself. You are successful with Linux Mint, I think… and that gives me hope, to keep on experimenting.
Win 7 Home, 64 bit, Group B
-
Create yourself a Linux Live flash drive with persistent storage. I recommend that you choose Linux Mint xfce, and pick the 32-bit or 64-bit version, depending on how much memory you have. (4 GB — 32-bit; 8 or more GB – 64-bit).
Then try it out for a while, to see what you think of it.
You could do the same for Ubuntu and other Linux distros.
Jim
Group "L" (Linux Mint)
with Windows 8.1 running in a VM1 user thanked author for this post.
-
-
anonymousIt does have some hardware requirements, check their information.
Check also Qubes OS Tutorials by Switched to Linux on YouTube.
1 user thanked author for this post.
-
The 7z archive format requires strong AES-256 encryption.
“There are actually two types of Zip file encryption. The older Zip 2.0 encryption is extremely insecure, while the newer AES encryption is fairly secure.”
More here:
-
anonymousThe problem with 7Zip is that the encryption is not very strong. Therefore the danger is, if you email a sensitive document that has been encrypted by 7Zip, the encryption could be broken and the document read by a non-authorized person.
@mrjimphelps, I’m afraid you’re somewhat misinformed. I use the latest non-beta version of 7-zip, 18.01, and the only option I have when I want to encrypt a file when adding it to an archive/zipping it up is AES 256. The old option of the ZipCrypto encryption algorithm is gone, at least for me on Win 7 x64 SP1.
-
-
“Would using 7-Zip in a sandbox or VM allow you to check for any malware in the files being opened before moving them to your system?”
There is a security benefit to using 7-Zip in a virtual machine instead of on your physical computer. The issue in this topic though is with purposely malformed archive files, not the file(s) contained within a given archive file.
-
So it is a problem with the ‘envelope’ rather than the letter inside?
Win 7 Home, 64 bit, Group B
-
-
-
So, if this actually mattered, then, as per Woody, the same worries could be said to be justified with WinRAR. So, what about WinZip? Or gzip, for that matter? Or good old UNIX “compress”? Not sure about WinZip, but those other two don’t seem to be getting lots of updates of late.
-
anonymousTo answer your question one would need to ask the creators or maintainers of the program and optionally have a file analyzer tool to tell you about it.
-
-
anonymousthank you for your post (i agree)
-
I will not 🙂
4 users thanked author for this post.
-
Is this about my question on WinZip, gzip and compress?
If so, what I was hoping for was some guidance. I am afraid these answers are a little too terse for me. If they are, indeed, for me. If not, am curious, what are they about?
-
-
Woody’s post mentions Stefan Kanthak’s concern because 7-Zip installs (or at least can install) a Windows Explorer shell extension. Here is the reason that using a Windows Explorer shell extension that doesn’t use the appropriate security measures is bad news: Quickpost: “It Does No Harm…” or Does It?
5 users thanked author for this post.
-
There are two ways in which the presence of the 7-Zip shell extension can be a security concern:
1. The presence of a non-ASLR DLL in whatever processes the 7-Zip shell extension DLL is used in (such as explorer.exe) means that 7-Zip code is available in predictable memory locations in those process(es), which can let an exploit use return-oriented programming gadgets.
2. If there is a vulnerability in the 7-Zip shell extension DLL, then it might be possible that this vulnerable code could be triggered in Windows/File Explorer (or whatever other processes the 7-Zip shell extension DLL is used in) if a specially-crafted archive file is present without even opening it, in a manner similar to what is described here.
1 user thanked author for this post.
-
-
From Security-Risk: Avoid 7-Zip: “Let’s get to the beef of this article. The developer of this tool refuse to hardening its software against unknown security vulnerabilities. To harden software with respect to the exploitability of unknown vulnerabilities, developers can specify different options when linking modules to an executable binary file. This Microsoft document introduces two such options for improving application security. There are other techniques (like compiler options to check for buffer overflow in executable code) of this kind, some of which have been known for many years.”
1 user thanked author for this post.
-
anonymousBorn’s claim that DEP is not enabled on Windows 10 64-bit is simply not true. Maybe he got fed by Russian trolls?
-
Good catch :). From https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip/: “The 7-Zip binaries for Windows are shipped with neither the /NXCOMPAT nor the /DYNAMICBASE flags. This means effectively that 7-Zip runs without ASLR on all Windows systems, and DEP is only enabled on Windows x64 or on Windows 10 x86.”
-
-
-
anonymousI myself have never been quite clear on what the security problems are. I know that there are no known exploits, but what sort of exploit is theoretically possible?
If the problem is merely the Explorer integration having possible security issues, then that can be turned off. You have to run the app as administrator, but you can uncheck the options. I have now done so, and I’ll see how convenient it is.
I already only use 7-zip for non ZIP archives.
-
The solution seems simple and was proposed early on in the these comments about the issue. Someone who knows what they are doing needs to recompile the 7-zip source code with the necessary switches and see if the resulting executable is stable and functional. If so, release it to the public (with all the appropriate credit to the original author). Igor will quickly see that most will choose the new version over the old if given a choice when downloading 7-zip.
Most users do not compress files with a stopwatch in their hand and don’t really care about max speed over security and functionality – free, useful and reliable is all that most care about.
With billions of internet users and millions using 7-zip including 3rd party vendors making use of 7-zip functionality, someone must have recompiled it by now…
-
“The core of the problem: Pavlov refuses to add ASLR (Address Space Layout Randomization) to the product, and won’t compile 7-Zip with the /GS Buffer Security Check flag.”
Background info on ASLR: On the effectiveness of DEP and ASLR (2010).
-
From Software defense: mitigating common exploitation techniques (December 2013): “[…] real-world exploits for software vulnerabilities have become increasingly reliant on executable images that have not enabled support for ASLR.”
-
The state-of-the-art in exploitation development has moved on since that 2013 article. See ROP is Dying and Your Exploit Mitigations are on Life Support (July 2016); that link has some vendor-specific info but the more general info included is good.
-
The code and memory mitigations of HitmanPro.Alert are available on a per application basis, and include hardware assisted Control-Flow Integrity on supported CPUs.
https://i.imgur.com/LopmOr8.png
1 user thanked author for this post.
-
-
-
-
The 7-Zip developer commented at #1270 enable DEP and ASLR (this is a cached version since sourceforge seems to be having problems now).
-
anonymousFrom Woody’s post:
I’m not so concerned about individual, manual use, but the incorporation of 7-Zip binaries into other packages. An anonymous poster here on AskWoody came up with a long list of other packages that rely on 7-Zip, including WinRAR, Flash, and some .NET applications.I’m the “anonymous” who posted the said list of 3rd-party software that use standalone or embedded 7-zip libraries. It isn’t a comprehensive list (more an outline), but may perhaps provide an idea of how large the potential attack surface area could be.
Before that, I also highlighted (31 Jan 2018) in the same forum thread that 7-zip v18.01 stable (29 Jan 2018) may not have included a fix for the ADSL security vulnerability, since the changelog makes no mention of it. (And neither does the latest v18.02 beta [03 Mar 2018] include the said fix.)
At that time, nobody seemed to be talking about this issue. But I was/am curious to know about the possible impacts of leaving the ADSL vulnerability unfixed, & what precautions I can take wrt malformed archive files from external sources.
Taking 7-zip as an example, its “extra” package (which contains the commandline EXE & DLL plugins) is offered as a 7z download. And 7-zip’s official website & downloads are strictly HTTP, which makes them susceptible to MitM compromises. Would scanning malformed archive files with malware scanner flag them as malicious ?
Note: I’ve no IT training & can’t read source-code — much less compile a software. I’m just a daily end-user of 7-zip & numerous 3rd-party software that use 7-zip libraries.
I also mentioned in the the aforementioned 7-zip thread that Landave (the security researcher who blogged about 7-zip’s vulnerabilities) did compile 7-zip with fixes for all the known security vulnerabilities in Jan 2018.
And the resulting increase in binary size is apparently just 8-9 KB — contrary to 7-zip developer’s concern that doing so would bloat the binary.
-
anonymousNoel Carboni said:
My first thought on this is that maybe the author knows more about what he’s doing than the folks “pressuring” him to enable switches that may have downsides.MrJimPhelps said:
whenever I read that the author of a program like 7/Zip refuses to include essential security features in his product, I wonder if he was told not to include these features.7-zip’s developer did explain why he does not want to fix the issues that make 7-zip less secure. That’s because years before Landave blogged about it, there were already users who noticed the same issues with 7-zip.
Back in Mar 2012, there was a user request for ASLR (Address Space Layout Randomization) & DEP (Executable Space Protection) to be enabled in 7-zip.
The developer’s response was:
I suppose that problem is more complex than just compiler switch. No time for these things now. Maybe later I’ll look it. I still use old compiler for 32-bit version.
And elsewhere on Twitterverse (13 May 2016):
https://twitter.com/ericlaw/status/731178499424329728
It’s important to upgrade 7zip to v16 to avoid security bugs. Get the unsigned, DLL hijackable installer via HTTP…and be aware that ASLR is disabled and 7-zip doesn’t work with SmartScreen/Windows security.
More recently in Sep 2017, another 2 users raised the same request with 7-zip’s developer. His response is quoted as follows:
It’s not BUG. It’s feature or missing of feature.
7-Zip doesn’t use ASLR. Files are smaller so. ASLR is new feature. I use old [compilers] and linkers without ASLR support. I can compile with /FIXED:NO and patch for ASLR flag with another tool. But ASLR is just some additional level of protection. There is no big gain from it.
DEP is good thing. But it’s [unclear] for me why there is 32-bit and 64-bit code difference.
As for the “files are smaller so” remark, 7-zip with ASLR enabled is a mere 8-9 KB (kilobytes) larger — as I’d mentioned earlier on.
-
-
The conclusion from the author of an exploit of a 2016 7-Zip vulnerability: “Still lack of current standard mitigations in some products makes exploitation significantly easier.”
-
This reply was modified 11 months, 3 weeks ago by MrBrian.
1 user thanked author for this post.
-
This reply was modified 11 months, 3 weeks ago by
-
anonymousCan someone post easy instructions to install EMET on windows 7 and what settings to use for 7zip? It’s a little bit complicated for some people that never used it.
-
The included “Popular Software.xml” template includes 7-Zip; see http://www.windowsmanagementexperts.com/emet-enhanced-mitigation-experience-toolkit/emet-enhanced-mitigation-experience-toolkit.htm for more details. If you choose not to use that template, then see EMET mitigations guidelines.
Since 7-Zip can install a shell extension, you may also wish to consider using EMET on whatever processes the 7-Zip shell extension DLL is used in.
1 user thanked author for this post.
-
anonymousSuch as Windows 7’s “explorer.exe” image, since it (7-zip) has a Windows shell extension feature which lets it show up as an option when you right click on a file?
-
Correct :).
-
-
You can turn off the shell integration in 7z if you wish. I have! 🙂
3 users thanked author for this post.
-
Me too.
May I recommend to others: Nir Sofer’s Shell Extensions Viewer
-Noel
Attachments:
You must be logged in to view attached files.
-
-
-
-
Another security issue with 7-Zip is that it doesn’t use “mark of the web.”
-
anonymousI actually find “mark of the web” especially annoying on zip files. I hate how Windows handles it, at least. It should just warn me when I unzip, not apply it to all the unzipped files. That can make programs not work if a DLL or necessary EXE gets marked. And then I have to manually go through and unmark them.
This is not the case with an installer, which is, at its core, just a glorified archive. So I don’t see why it should apply to archives.
Sure, I wouldn’t mind if 7Zip warned me before unarchiving, but I largely find the warning useless. I know I got the file from online. That’s why I put it in my Downloads folder. And, usually, I just finished downloading it.
Smartscreen is at least a step in the right direction, only warning me if the file is not one that is recognized as safe. That’s actually a useful warning. Unfortunately, I use Windows 7, so I don’t get that feature. I just get the annoying popup I have to click through–or, worse, with ZIP files, I have to choose Open Download Folder, right click on Properties, and remove the checkbox so I can then unzip it and have a working program when I’m finished.
I’ve actually had huge archives that took hours to unzip, and then just deleted the files and did it again over this mark-of-the-web thing. It’s easier than going through every single file.
-
Smartscreen is at least a step in the right direction, only warning me if the file is not one that is recognized as safe. That’s actually a useful warning. Unfortunately, I use Windows 7, so I don’t get that feature.
SmartScreen is a function within Internet Explorer, not Windows 7. To bypass, see http://www.thewindowsclub.com/bypass-smartscreen-filter-ie-edge.
Win 7 SP1 Home Premium 64-bit; Office 2010; Group B; Former 'Tech Weenie'
-
This reply was modified 11 months, 2 weeks ago by SueW.
-
My preferred way of verifying a downloaded/unzipped executable file is to check it with VirusTotal.
There is a handy little free utility from Nirsoft, ‘HashMyFiles’, that has an option to ‘Enable Explorer Context Menu – Virus Total’. That make VirusTotal a completely integrated solution from within Windows file explorer.
Just right click on any file in Windows explorer and select ‘Open in VirusTotal Web Site’. The file hash is transmitted to VirusTotal and your browser will be presented with the score from multiple AV engines if it is a previously submitted sample. If the sample is new, you can upload the entire file for ananlysis as long as it is under 128MB.
http://www.nirsoft.net/utils/hash_my_files.html
Highly recommended! 🙂
1 user thanked author for this post.
-
This reply was modified 11 months, 2 weeks ago by
-
-
I did tests on a Windows 7 x64 virtual machine using 7-Zip v18.01 x64 and x86 and setdllcharacteristics v0.0.0.1. setdllcharacteristics results for 7-Zip v18.01 x64: https://pastebin.com/h3M2zaUm. setdllcharacteristics results for 7-Zip v18.01 x86: https://pastebin.com/4zfdqmyX. For all files, the DEP switch (NX_COMPAT) is set to 1; this is good news. For all .dll files, the ASLR switch (DYNAMIC_BASE) is set to 1; this is good news. For all .exe and .sfx files, the ASLR switch (DYNAMIC_BASE) is set to 0; this is bad news but not unexpected.
I also did tests using 7-Zip v18.01 x64, Process Explorer v16.21 (DEP column in upper pane; ASLR and Base Address columns in lower pane), and EMET v5.52. See https://blog.didierstevens.com/2011/01/18/quickpost-checking-aslr/ and http://www.itprotoday.com/security/q-how-can-i-check-effect-windows-address-space-layout-randomization-aslr-feature-windows for more details.
My conclusions:
1. For the 7-Zip v18.01 x64 shell extension, ASLR for explorer.exe’s 7-zip.dll works according to Process Explorer (both the ASLR and Base Address columns); the Base Address field for explorer.exe’s 7-zip.dll changed from one boot to another boot. This is good news.
2. For the 7-Zip v18.01 x86 shell extension, I didn’t test with Process Explorer, but the setdllcharacteristics results for 7-Zip v18.01 x86’s DLL files are encouraging.
3. Using setdllcharacteristics to change the ASLR switch (DYNAMIC_BASE) of 7-Zip v18.01 x64 file manager (7zFM.exe) doesn’t have any security effect according to Process Explorer Base Address tests. This is not surprising per https://www.askwoody.com/forums/topic/is-it-time-to-give-up-on-7-zip/#post-171967. But if you want to try anyway, see one of the comments at http://www.dslreports.com/forum/r30754614-Flawed-7-Zip-compression-tool-opens-systems-to-hack-Update-it-now.
4. EMET’s Mandatory ASLR mitigation doesn’t have any effect for the 7-Zip v18.01 x64 file manager (7zFM.exe) according to Process Explorer Base Address tests. This is not surprising per https://www.askwoody.com/forums/topic/is-it-time-to-give-up-on-7-zip/#post-171967. However, it’s still a good idea to use EMET for 7-Zip’s .exe files because of EMET’s other mitigations.
5. DEP is on for the 7-Zip v18.01 x64 file manager (7zFM.exe) according to Process Explorer; this is good news but not unexpected because according to https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip/, “At least he will try to enable /NXCOMPAT for the next release.”
-
This reply was modified 11 months, 3 weeks ago by MrBrian.
-
7. The presence of the 7-Zip v18.01 shell extension (at least for the x64 version) is not as much of a security risk as I thought prior to today’s tests because issue #1 at https://www.askwoody.com/forums/topic/is-it-time-to-give-up-on-7-zip/#post-172133 shouldn’t actually be an issue (see conclusions #1 and #2).
-
8. I plan to keep using 7-Zip, although I am disappointed in the 7-Zip developer’s decisions that result in the 7-Zip exe’s not using ASLR, even if you use a program such as EMET on the 7-Zip exe’s.
-
This reply was modified 11 months, 2 weeks ago by MrBrian.
4 users thanked author for this post.
-
This reply was modified 11 months, 2 weeks ago by
-
This reply was modified 11 months, 3 weeks ago by
-
anonymousIf there’s one think I really hate, it’s when people say things like “What year is it @7zip ?? You guys still running on 90’s hardware??”. This should not be an excuse for bloating a program. I did not buy a faster CPU and more RAM so that developers could get lazy and bloat their applications. I bought them to run the same stuff, and more of it. It’s this kind of thinking that leads to Software bloat and feature creep.
That said, I still plan on using 7-zip. Nothing comes close to how efficient 7z is. Winrar is slow, and too much flash and bang, and Winzip is bloated. I do think he should enable those compiler switches, even if it adds a tiny bit of bloat, but hey, there’s tons of security holes I’m sure I’m open to these days since technology is all about shoveling in features instead of fixing problems.
1 user thanked author for this post.
-
anonymous“INSECURE shell extension is loaded into explorer.exe” Probably need a bit more elaboration on that. The 7Z DLL (7-zip.dll) contains a relocation table and is linked with dynamicbase, so ASLR should work. Maybe there is something else wrong with it.
It is the .exe files that has the relocation stripped, and not linked with dynamicbase. I’ll give the developer credit though. He knows the two go together. I’ve seen some others with dynamicbase but no relocation table, like VLC.
1 user thanked author for this post.
-
Your statements are consistent with my test results in my previous comments.
-
anonymousWhile your previous comments did rule out the ASLR aspect, it requires that we assume that some deficiency in the ASLR implementation was why the integration of 7-Zip into explorer.exe results in a problem, a conclusion I disagree with, and what you tested.
I hate assumptions. So, if the author of the critique had mentioned that the integration of 7-Zip into explorer resulted in inferior security of explorer because of the ASLR deficiency, well then I would have been satisfied (although I disagree with that conclusion). That was certainly in the context of the review. But, still, the way it was worded left open the possibility that something else in 7-Zip.dll creates a problem, and if so, I would have liked to seen an elaboration of such other problem.
EDIT html to text
-
-
-
Did anyone check the Peazip binary if all 3 of these switches are enabled? I’m sticking with the built-in Windows10 zip functionality until I can find out. I’ll use a portable version of Peazip if I have to use one of these more powerful utilities until I can confirm it.
Security should be the top priority for all software, because even if you do try your best – there’s always new vulnerabilities to be found. So if you’re not even trying to make security a priority…
-
I apologize if this is way after the date this was published; but I have 7-Zip, however, I more frequently use WinRAR. I have a version which was registered to my old (out-of-service) Windows Vista computer.
I downloaded the V4 version of WinRAR onto my new(er) computer running Windows 7 x64, and, as a try, input the registration code from the Vista version.
Hoky smokes, Bullwinkle. It took it.
[EDITED – pls refer to Lounge Rules] I have a version of 7-Zip, but for my purposes, are more attuned to using WinRAR.
Some of the semi-anonymous uploaders I utilize will not accept a .7z file – but will accept a .rar file. So that is the file compression scheme I prefer.
Important links you can use, without all the fluff or sales pitch = https://v.gd/sdr28-
This reply was modified 4 months, 1 week ago by Steve. Reason: BBcode rather than HTML?
-
This reply was modified 4 months, 1 week ago by
-
AuthorPosts
Comments are closed.
-
-
It's easy to post questions about Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced.

Plus Membership
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments. Click here for details and to sign up.
Search The Lounge
Recent Replies
-
Morty on Woody’s Windows Watch: Dispatches from the browser-war’s front lines2 minutes ago
-
Ascaris on Woody’s Windows Watch: Dispatches from the browser-war’s front lines1 hour, 3 minutes ago
-
Peter Haug on Woody’s Windows Watch: Dispatches from the browser-war’s front lines1 hour, 25 minutes ago
-
PerthMike on Server 2016 LTSC patches take for-e-ver. There are numerous reasons why – and not much you can do about it1 hour, 57 minutes ago
-
Bluetrix on Anomalous, buggy behavior on AskWoody2 hours, 17 minutes ago
-
PKCano on Win10.1809 repair / in-place upgrade failure2 hours, 18 minutes ago
-
Ascaris on LangList: Should you trust a hard drive after a major error?3 hours, 9 minutes ago
-
OscarCP on Woody’s Windows Watch: Dispatches from the browser-war’s front lines3 hours, 30 minutes ago
-
OscarCP on Tell me the truth – Which is better, Chrome or Firefox?3 hours, 40 minutes ago
-
OscarCP on Cimpanu: The US Govt Accountability Office recommends the US adopt GDPR-like privacy legislation3 hours, 58 minutes ago
-
OscarCP on How many Internet domains own MS, Google, Apple, Amazon? Try tens of millions4 hours, 10 minutes ago
-
deuce120 on LangList: Should you trust a hard drive after a major error?4 hours, 15 minutes ago
-
Woody Lounger on This is a test topic from a Lounger4 hours, 18 minutes ago
-
woody on Anomalous, buggy behavior on AskWoody4 hours, 27 minutes ago
-
mn– on LangList: Should you trust a hard drive after a major error?4 hours, 28 minutes ago
-
deuce120 on Woody’s Windows Watch: Dispatches from the browser-war’s front lines4 hours, 29 minutes ago
-
Sueska on Woody’s Windows Watch: Dispatches from the browser-war’s front lines4 hours, 30 minutes ago
-
woody on Anomalous, buggy behavior on AskWoody4 hours, 43 minutes ago
-
Mele20 on Cimpanu: The US Govt Accountability Office recommends the US adopt GDPR-like privacy legislation4 hours, 43 minutes ago
-
anonymous on LangList: Should you trust a hard drive after a major error?
4 hours, 44 minutes ago
Recent Topics
-
Edge is NOT just Win 10
25 minutes ago
-
Verizon FIOS upload speed
30 minutes ago
-
Win10.1809 repair / in-place upgrade failure
2 hours, 18 minutes ago
-
Unable to run a command in Linux Mint
2 hours, 47 minutes ago
-
Extra system files?
6 hours, 21 minutes ago
-
Server 2016 LTSC patches take for-e-ver. There are numerous reasons why – and not much you can do about it
1 hour, 57 minutes ago
-
Whatever happened to Opera?
6 hours, 1 minute ago
-
win 10 backup failure 0x800700E1
5 hours, 51 minutes ago
-
Win 7 to Win 10: 1803 or 1809 or 1903?
8 hours, 3 minutes ago
-
Windows 8.1 Post Patch Maintenance
13 hours, 3 minutes ago
Search for Topics
Recent blog posts
- Server 2016 LTSC patches take for-e-ver. There are numerous reasons why – and not much you can do about it
- Woody’s Windows Watch: Dispatches from the browser-war’s front lines
- LangList: Should you trust a hard drive after a major error?
- Patch Watch: February Patch Tuesday and yet more problems with the new Japanese calendar
- Deanna’s Freeware Spotlight: MultiPack Visual C+ Installer