|
MS-DEFCON 1:
Current Microsoft patches are causing havoc. Don't patch.
|
-
Is it time to give up on 7-Zip?
Posted on Comment on the AskWoody LoungeThis topic contains 98 replies, has 27 voices, and was last updated by
Steve 6 days, 12 hours ago.
-
I’ve been a 7-Zip for for, like, forever. That’s why it pains me to report that several people — people who know what they’re doing — are taking 7-Z
[See the full post at: Is it time to give up on 7-Zip?] -
I don’t mean to be conspiratorial, but whenever I read that the author of a program like 7/Zip refuses to include essential security features in his product, I wonder if he was told not to include these features.
I have discussed this issue with Igor Pavlov and tried to convince him to enable all three flags. However, he refused to enable /DYNAMICBASE [the ASLR flag] because he prefers to ship the binaries without relocation table to achieve a minimal binary size. Moreover, he doesn’t want to enable /GS, because it could affect the runtime as well as the binary size.
From what I have heard many times, the US government (specifically the NSA) pressures companies to include back doors in their products.
Group "L" (Linux Mint)
with Windows 8.1 running in a VM-
-
He he, there are always other interested organizations in this sort of stuff, not only NSA.
The issue with the backdoors is that sooner or later, all those interested will find out and use those backdoors, not only the original sponsor. Sometimes even “script kiddies” take advantage when the backdoors are made public and the systems do not keep up with patching.
While it is not clear if those backdoors are allowed on purpose in the first place, based on current information it is safe to assume so.5 users thanked author for this post.
-
-
If not 7-Zip, then what other program that does what 7-Zip does AND doesn’t contain the security holes about which you are concerned? (Redundant of post entered before logging in and tagged as anonymous.)
2 users thanked author for this post.
-
From what I’ve read, 7-ZIP would not need to be replaced. It’s open-source, so anyone can recompile the source code with the added security. And EMET or Windows Exploit Protection may be able to provide sufficient protections if you are running the most up to date versions of 7-ZIP. In Linux, there’s AppArmor, which may be able to add similar protections to PeaZIP (which is based on the 7-ZIP binaries). I am not a security or coding expert, but it seems a fix could be developed and released as a derivative or fork of 7-ZIP. I doubt the author of 7-ZIP would object, as long as he gets due credit.
-- rc primak
-
This reply was modified 7 months, 2 weeks ago by
rc primak.
-
-
Regular folks would not be aware of the need, or even know what it means to compile something… but if that’s really all it takes, someone out there could take the open-source code and simply compile it with the new compiler directives, and make that compiled product available to the public.
It’s kind of how I believe Waterfox got started… years ago, Mozilla did not offer any official 64-bit builds of Firefox for Windows, so MrAlex94 began to build the Firefox source into 64-bit binaries, so that end users who don’t have the resources or desire to compile it themselves can still benefit. I’m not sure what Mozilla’s reasoning was; they already offered 64-bit versions for Mac and Linux, and from the first moment I tried Waterfox (which only existed in 64-bit form) in Windows, it was more stable than 32-bit Firefox by far.
Now that Mozilla offers 64-bit Windows binaries, the focus of Waterfox has shifted, but in the beginning, it was all about it being compiled differently. The same could apply to 7-Zip, if there is any real demand for it.
Group L (Linux): KDE Neon User Edition 5.14 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM
1 user thanked author for this post.
-
-
This reply was modified 7 months, 2 weeks ago by
-
So I asked Stefan if he had a good alternative to 7-Zip, and this is what he said:
Windows (since ’95) NATIVE archive format .CAB: without delta compression it compresses almost as good as .7z, and with delta compression it performs BETTER than .7z.
Additionally .CAB archives can be digitally (authenticode) signed, which no other format offers (except .ZIP when used for OOXML or OpenXML format files), and both Windows’ SetupAPI and Windows, er, Microsoft Installer as well as the “component based servicing” can process their contents without unpacking the whole archive.
Unfortunately Microsoft does not offer to create .CAB archives in Windows Explorer; users need to call MAKECAB.exe on the command line or use IEXPRESS.exe.
So: .CAB for incoming files, especially installer packages (.MSU are .CAB archives, they just have another extension; .MSI and .MSP contain their payload as .CAB archives, as well as the self-extracting installers provided by Microsoft), and .ZIP for outgoing archives.
Developers and vendors should ALWAYS use and support the NATIVE archive format of the target OS, they should NEVER force their users/customers to install additional software to access or use files they distribute.
The arguments from https://skanthak.homepage.t-online.de/!execute.html apply here too: ALWAYS use the NATIVE format of the target OS, NEVER expect or force your users to jump through loops to access or use what you distribute. People who send/distribute .7z, .RAR, .ARJ or other “strange” formats to Windows users don’t want them to use what they provide.
That’s basically the KISS principle: keep it simple for your users, SAVE them from all possible hassle and additional vulnerabilities, be it “strange” archive formats or executable installers/self-extractors, which are almost always vulnerable, and seduce people to EXECUTE anything they get.
What do you think?
-
anonymous -
anonymous -
-
anonymousWhat Stefan would want you to do is use Microsoft’s native CABinet archive file format with Windows. Stefan is blind to the fact the IExpress utility & makecab programs aren’t widely known by most people to make a .CAB archive. There maybe too few to none other than Microsoft’s programs that can could make one. CAB files are still mostly a Microsoft internal use product.
Microsoft were wise to add .ZIP capabilities to explorer in part because of its ubiquity, it has been widely known since approximately the latter half of the 1980s. So you can ignore the advice for Windows. For GNU/Linux, Unix he generally right because many files are TARed & GZipped for distribution.
Did this clarify or create befuddlement in your brain?
1 user thanked author for this post.
-
-
-
-
In their ivory towers, experts may have opinions, but the fact is that tools such as 7-zip that open a large variety of formats are needed because the OS simply doesn’t provide native support for all the formats.
Ever download a .tar.gz file from, say, an open source library site? It’s in that format because (surprise) the world doesn’t revolve around Microsoft. I assume the answer will be yes as it is for so many of us. If so, what did you use to open it?
And regarding “native” support for .CAB… The underlying SDK APIs to access CAB files were already outdated at the turn of the millenium. Now they’re positively ancient. I know because we’ve coded software to create .CAB files to contain submitted error reports recently.
I have to ask: Are a lot of people being infected by 7-zip? “Theoretical” vulnerabilities do serve to help people improve products, but is 7-zip really proving worthy of such worry?
-Noel
-
-
Delta compression cab or better known as Intra Package Delta is an exclusive for Microsoft updates, it’s not available in Windows and no one can create it but them
as i pointed, even Microsoft uses 7z library to pack .NET executable updates
-
-
7Zip exploit protection settings recommendation
https://malwaretips.com/threads/7zip-exploit-protection-settings-recommendation.76887/
(etc) …
That was me, in the below Anonymous Posting (#171747)
— rc primak —
-- rc primak
-
This reply was modified 7 months, 2 weeks ago by
-
anonymous -
Comment from landave: “While mandatory ASLR is a nice feature (and will be supported by Windows 10 even without EMET), it will not work for binaries with stripped relocation table. Igor seems to do exactly this to reduce the size of the binary.
Also, EMET cannot give you stack canaries if the binary is not compiled with /GS.”
3 users thanked author for this post.
-
This reply was modified 7 months, 2 weeks ago by
-
RC Primak7Zip exploit protection settings recommendation
https://malwaretips.com/threads/7zip-exploit-protection-settings-recommendation.76887/
So, with either EMET or Exploit Guard, MS Windows can be configured to make 7-ZIP adhere to the recommended security protocols. So what’s the flap about?
In Linux, AppArmor can provide similar protection to PeaZip, which is based on 7-ZIP’s binaries.
Or you can go out, get the binary’s source code, add ASLR and other security .dll’s (or whatever Linux uses), and recompile your own secure version of 7-ZIP and PeaZIP. And if anyone does this, hopefully they will share the resulting package with the rest of us.
-
anonymousThankfully it is open and people with knowledge can recompile it to their liking. 7-zip compression is used in software deployment, hopefully the software engineers will see have this and do what is necessary to make it a little more secure.
Their are not many software solutions that can compress like 7-zip. 🙁
1 user thanked author for this post.
-
anonymous-
The power went out at my office just about the time that you posted with “their”. Does that count? 😉
1 user thanked author for this post.
-
-
-
7 Zip wow haven’t used that in a while. I remember it being included in some HP PC if I am not mistaken. These days I just use the built in unzipper in Windows 10 for what I need. Its not unfamiliar to me though, plenty of PC’s I work on still have it installed.
1 user thanked author for this post.
-
-
anonymous-
anonymous
-
-
-
-
anonymous -
While I appreciate the news in the first place, I think that there is an over-reaction here. There are enterprise products which still do not implement ASLR or recommend disabling it for performance reasons, so targeting 7-zip here is unfair at least. There are boundaries to what is and what is not a critical security issue. And the fact that a Microsoft rep recommends implementing Microsoft security technologies built-in Windows is not something new. It is certainly preferable to have those technologies in place, but the lack of them does not inherently make a product insecure.
-
My first thought on this is that maybe the author knows more about what he’s doing than the folks “pressuring” him to enable switches that may have downsides.
Imagine, for example, a compile/link switch that makes the code measurably less efficient, but does not really provide any substantial benefit when considering how the product actually works. Who would want such a switch thrown? Those who would benefit from selling people new hardware?
It is my considered opinion that computer security, as discussed by the public, is more marketing and hype than substance.
-Noel
-
-
anonymousAnyone caught by the ridiculous security hysteria spread by utterly useless zealots and talking-heads should download the 7-Zip source code, fix all security bugs, if any, apply the ‘security’ compiler switches recommended by Microsoft (even if Microsoft does not compile quite a number of their own executables with those switches — just look at Windows 10, the ‘most secure’ Windows…), and compile 7-Zip… And… the folks at Microsoft better shut up…
1 user thanked author for this post.
-
I really like 7-Zip, having used it reliably since XP days.
Would using 7-Zip in a sandbox or VM allow you to check for any malware in the files being opened before moving them to your system? I really like the concept of Qubes OS, where your operating system is separate from the program running in it, and you can separate out the different programs, too. It doesn’t have the novice user friendliness of Windows or Linux Mint, but the idea of not letting programs run promiscuously with your OS really appeals to me for basic safety and security reasons.
Do other products do the same thing, or have they incorporated fixes? I’d hate to move from one product that has been checked closely, to another product that looks better, because no one bothered to check it out yet.
Win 7 Home, 64 bit, Group B
-
-
@OscarCP-
As this is getting off topic of 7-Zip… may I refer you to ‘An Introduction to Qubes OS’: https://www.qubes-os.org/intro/
I don’t have the technical answers… but the concept of running everything in separate compartments, but easily available on the desktop, appeals to me. I can put the programs I run in separate Qubes with individualized security settings. They utilize single use, disposible Qubes for opening attachments. Exactly how that is done is beyond me, but Qubes is showing up frequently in searches for the best security based Linux distros.
It is one of the free and open source distros I am exploring prior to end of life for Win 7. I’d be interested in a more detailed, techy take on this. This might be a subject to open in the Linux for Window Wonks forum.
Win 7 Home, 64 bit, Group B
-
Thanks Elly. The link in your reply to my question makes things more clear: various types of applications run on their own and separate virtual machines (VMs), called “qubes”, and these run, in turn, on a Linux-type OS that does not talk to the outside world (except, I imagine, through the keyboard and mouse of the superuser), only the qube VMs do. This makes it, somehow, very hard to infect this submarine OS with malware that comes in from the Internet or some contaminated media in disks or USB memory sticks, etc. All that will go into some qube or qubes instead, where it can be contained by putting in quarantine the infected qube.
This looks like something worthy of further discussion in one of the Linux streams at Woody’s, particularly for those of us looking for alternatives to Windows 7, when it reaches its end of life in less than two years from now.
1 user thanked author for this post.
-
@ OscarCP- That gives a pretty good description of how Qubes is set up… thank you, as it helped me visualize it better in my own mind.
Win 7 Home, 64 bit, Group B
-
-
-
-
The problem with 7Zip is that the encryption is not very strong. Therefore the danger is, if you email a sensitive document that has been encrypted by 7Zip, the encryption could be broken and the document read by a non-authorized person.
Strong encryption would allow you to zip any document, encrypt it, and email it, without having to worry about anyone being able to read it.
WinZip has strong encryption. I use it whenever I have to send a sensitive document. But based on this article, I won’t be using 7Zip.
I like the idea behind Qubes – a separate, isolated sandbox for each OS you want to run; but I never could figure it out, so I finally uninstalled it.
Jim
Group "L" (Linux Mint)
with Windows 8.1 running in a VM-
Thank you for translating what those problematic processes actually do. I respect encryption, and believe in privacy, so that would be important for me.
You have been experimenting with Linux, too… I have difficulty determining whether it is myself, or the OS that is lacking… and tend to blame myself. You are successful with Linux Mint, I think… and that gives me hope, to keep on experimenting.
Win 7 Home, 64 bit, Group B
-
Create yourself a Linux Live flash drive with persistent storage. I recommend that you choose Linux Mint xfce, and pick the 32-bit or 64-bit version, depending on how much memory you have. (4 GB — 32-bit; 8 or more GB – 64-bit).
Then try it out for a while, to see what you think of it.
You could do the same for Ubuntu and other Linux distros.
Jim
Group "L" (Linux Mint)
with Windows 8.1 running in a VM1 user thanked author for this post.
-
-
anonymousIt does have some hardware requirements, check their information.
Check also Qubes OS Tutorials by Switched to Linux on YouTube.
1 user thanked author for this post.
-
The 7z archive format requires strong AES-256 encryption.
“There are actually two types of Zip file encryption. The older Zip 2.0 encryption is extremely insecure, while the newer AES encryption is fairly secure.”
More here:
-
anonymous
-
-
-
So it is a problem with the ‘envelope’ rather than the letter inside?
Win 7 Home, 64 bit, Group B
-
-
-
-
anonymous
-
-
anonymous -
I will not 🙂
4 users thanked author for this post.
-
-
Okay, if having insecure product installed, then you wouldn’t use Winblows… but seriously, what is actually wrong with 7-Zip not using ASLR or DEP? Correct me if I am wrong, but it would take a malformed archive to cause any problems; you should be able to trust your own 7z files and you shouldn’t open any archive that isn’t trusted.
Encryption, what is the problem here? There is AES-256 for the encryption, is the “password” not used properly to encrypt AES-256, it is not the key? Or is the password used insecurely to get the real key?
1 user thanked author for this post.
-
Woody’s post mentions Stefan Kanthak’s concern because 7-Zip installs (or at least can install) a Windows Explorer shell extension. Here is the reason that using a Windows Explorer shell extension that doesn’t use the appropriate security measures is bad news: Quickpost: “It Does No Harm…” or Does It?
5 users thanked author for this post.
-
There are two ways in which the presence of the 7-Zip shell extension can be a security concern:
1. The presence of a non-ASLR DLL in whatever processes the 7-Zip shell extension DLL is used in (such as explorer.exe) means that 7-Zip code is available in predictable memory locations in those process(es), which can let an exploit use return-oriented programming gadgets.
2. If there is a vulnerability in the 7-Zip shell extension DLL, then it might be possible that this vulnerable code could be triggered in Windows/File Explorer (or whatever other processes the 7-Zip shell extension DLL is used in) if a specially-crafted archive file is present without even opening it, in a manner similar to what is described here.
1 user thanked author for this post.
-
-
From Security-Risk: Avoid 7-Zip: “Let’s get to the beef of this article. The developer of this tool refuse to hardening its software against unknown security vulnerabilities. To harden software with respect to the exploitability of unknown vulnerabilities, developers can specify different options when linking modules to an executable binary file. This Microsoft document introduces two such options for improving application security. There are other techniques (like compiler options to check for buffer overflow in executable code) of this kind, some of which have been known for many years.”
1 user thanked author for this post.
-
anonymous
-
-
anonymous -
The solution seems simple and was proposed early on in the these comments about the issue. Someone who knows what they are doing needs to recompile the 7-zip source code with the necessary switches and see if the resulting executable is stable and functional. If so, release it to the public (with all the appropriate credit to the original author). Igor will quickly see that most will choose the new version over the old if given a choice when downloading 7-zip.
Most users do not compress files with a stopwatch in their hand and don’t really care about max speed over security and functionality – free, useful and reliable is all that most care about.
With billions of internet users and millions using 7-zip including 3rd party vendors making use of 7-zip functionality, someone must have recompiled it by now…
-
-
-
-
The code and memory mitigations of HitmanPro.Alert are available on a per application basis, and include hardware assisted Control-Flow Integrity on supported CPUs.
https://i.imgur.com/LopmOr8.png
1 user thanked author for this post.
-
-
-
-
anonymousFrom Woody’s post:
I’m not so concerned about individual, manual use, but the incorporation of 7-Zip binaries into other packages. An anonymous poster here on AskWoody came up with a long list of other packages that rely on 7-Zip, including WinRAR, Flash, and some .NET applications.I’m the “anonymous” who posted the said list of 3rd-party software that use standalone or embedded 7-zip libraries. It isn’t a comprehensive list (more an outline), but may perhaps provide an idea of how large the potential attack surface area could be.
Before that, I also highlighted (31 Jan 2018) in the same forum thread that 7-zip v18.01 stable (29 Jan 2018) may not have included a fix for the ADSL security vulnerability, since the changelog makes no mention of it. (And neither does the latest v18.02 beta [03 Mar 2018] include the said fix.)
At that time, nobody seemed to be talking about this issue. But I was/am curious to know about the possible impacts of leaving the ADSL vulnerability unfixed, & what precautions I can take wrt malformed archive files from external sources.
Taking 7-zip as an example, its “extra” package (which contains the commandline EXE & DLL plugins) is offered as a 7z download. And 7-zip’s official website & downloads are strictly HTTP, which makes them susceptible to MitM compromises. Would scanning malformed archive files with malware scanner flag them as malicious ?
Note: I’ve no IT training & can’t read source-code — much less compile a software. I’m just a daily end-user of 7-zip & numerous 3rd-party software that use 7-zip libraries.
I also mentioned in the the aforementioned 7-zip thread that Landave (the security researcher who blogged about 7-zip’s vulnerabilities) did compile 7-zip with fixes for all the known security vulnerabilities in Jan 2018.
And the resulting increase in binary size is apparently just 8-9 KB — contrary to 7-zip developer’s concern that doing so would bloat the binary.
-
anonymousNoel Carboni said:
My first thought on this is that maybe the author knows more about what he’s doing than the folks “pressuring” him to enable switches that may have downsides.MrJimPhelps said:
whenever I read that the author of a program like 7/Zip refuses to include essential security features in his product, I wonder if he was told not to include these features.7-zip’s developer did explain why he does not want to fix the issues that make 7-zip less secure. That’s because years before Landave blogged about it, there were already users who noticed the same issues with 7-zip.
Back in Mar 2012, there was a user request for ASLR (Address Space Layout Randomization) & DEP (Executable Space Protection) to be enabled in 7-zip.
The developer’s response was:
I suppose that problem is more complex than just compiler switch. No time for these things now. Maybe later I’ll look it. I still use old compiler for 32-bit version.
And elsewhere on Twitterverse (13 May 2016):
https://twitter.com/ericlaw/status/731178499424329728
It’s important to upgrade 7zip to v16 to avoid security bugs. Get the unsigned, DLL hijackable installer via HTTP…and be aware that ASLR is disabled and 7-zip doesn’t work with SmartScreen/Windows security.
More recently in Sep 2017, another 2 users raised the same request with 7-zip’s developer. His response is quoted as follows:
It’s not BUG. It’s feature or missing of feature.
7-Zip doesn’t use ASLR. Files are smaller so. ASLR is new feature. I use old [compilers] and linkers without ASLR support. I can compile with /FIXED:NO and patch for ASLR flag with another tool. But ASLR is just some additional level of protection. There is no big gain from it.
DEP is good thing. But it’s [unclear] for me why there is 32-bit and 64-bit code difference.
As for the “files are smaller so” remark, 7-zip with ASLR enabled is a mere 8-9 KB (kilobytes) larger — as I’d mentioned earlier on.
-
The conclusion from the author of an exploit of a 2016 7-Zip vulnerability: “Still lack of current standard mitigations in some products makes exploitation significantly easier.”
-
This reply was modified 7 months, 2 weeks ago by
MrBrian.
1 user thanked author for this post.
-
This reply was modified 7 months, 2 weeks ago by
-
anonymous-
The included “Popular Software.xml” template includes 7-Zip; see http://www.windowsmanagementexperts.com/emet-enhanced-mitigation-experience-toolkit/emet-enhanced-mitigation-experience-toolkit.htm for more details. If you choose not to use that template, then see EMET mitigations guidelines.
Since 7-Zip can install a shell extension, you may also wish to consider using EMET on whatever processes the 7-Zip shell extension DLL is used in.
1 user thanked author for this post.
-
anonymous -
You can turn off the shell integration in 7z if you wish. I have! 🙂
3 users thanked author for this post.
-
-
-
-
anonymous-
Smartscreen is at least a step in the right direction, only warning me if the file is not one that is recognized as safe. That’s actually a useful warning. Unfortunately, I use Windows 7, so I don’t get that feature.
SmartScreen is a function within Internet Explorer, not Windows 7. To bypass, see http://www.thewindowsclub.com/bypass-smartscreen-filter-ie-edge.
Win 7 SP1 Home Premium 64-bit; Office 2010; Group B; Former 'Tech Weenie'
-
This reply was modified 7 months, 2 weeks ago by
SueW.
-
My preferred way of verifying a downloaded/unzipped executable file is to check it with VirusTotal.
There is a handy little free utility from Nirsoft, ‘HashMyFiles’, that has an option to ‘Enable Explorer Context Menu – Virus Total’. That make VirusTotal a completely integrated solution from within Windows file explorer.
Just right click on any file in Windows explorer and select ‘Open in VirusTotal Web Site’. The file hash is transmitted to VirusTotal and your browser will be presented with the score from multiple AV engines if it is a previously submitted sample. If the sample is new, you can upload the entire file for ananlysis as long as it is under 128MB.
http://www.nirsoft.net/utils/hash_my_files.html
Highly recommended! 🙂
1 user thanked author for this post.
-
This reply was modified 7 months, 2 weeks ago by
-
-
I did tests on a Windows 7 x64 virtual machine using 7-Zip v18.01 x64 and x86 and setdllcharacteristics v0.0.0.1. setdllcharacteristics results for 7-Zip v18.01 x64: https://pastebin.com/h3M2zaUm. setdllcharacteristics results for 7-Zip v18.01 x86: https://pastebin.com/4zfdqmyX. For all files, the DEP switch (NX_COMPAT) is set to 1; this is good news. For all .dll files, the ASLR switch (DYNAMIC_BASE) is set to 1; this is good news. For all .exe and .sfx files, the ASLR switch (DYNAMIC_BASE) is set to 0; this is bad news but not unexpected.
I also did tests using 7-Zip v18.01 x64, Process Explorer v16.21 (DEP column in upper pane; ASLR and Base Address columns in lower pane), and EMET v5.52. See https://blog.didierstevens.com/2011/01/18/quickpost-checking-aslr/ and http://www.itprotoday.com/security/q-how-can-i-check-effect-windows-address-space-layout-randomization-aslr-feature-windows for more details.
My conclusions:
1. For the 7-Zip v18.01 x64 shell extension, ASLR for explorer.exe’s 7-zip.dll works according to Process Explorer (both the ASLR and Base Address columns); the Base Address field for explorer.exe’s 7-zip.dll changed from one boot to another boot. This is good news.
2. For the 7-Zip v18.01 x86 shell extension, I didn’t test with Process Explorer, but the setdllcharacteristics results for 7-Zip v18.01 x86’s DLL files are encouraging.
3. Using setdllcharacteristics to change the ASLR switch (DYNAMIC_BASE) of 7-Zip v18.01 x64 file manager (7zFM.exe) doesn’t have any security effect according to Process Explorer Base Address tests. This is not surprising per https://www.askwoody.com/forums/topic/is-it-time-to-give-up-on-7-zip/#post-171967. But if you want to try anyway, see one of the comments at http://www.dslreports.com/forum/r30754614-Flawed-7-Zip-compression-tool-opens-systems-to-hack-Update-it-now.
4. EMET’s Mandatory ASLR mitigation doesn’t have any effect for the 7-Zip v18.01 x64 file manager (7zFM.exe) according to Process Explorer Base Address tests. This is not surprising per https://www.askwoody.com/forums/topic/is-it-time-to-give-up-on-7-zip/#post-171967. However, it’s still a good idea to use EMET for 7-Zip’s .exe files because of EMET’s other mitigations.
5. DEP is on for the 7-Zip v18.01 x64 file manager (7zFM.exe) according to Process Explorer; this is good news but not unexpected because according to https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip/, “At least he will try to enable /NXCOMPAT for the next release.”
-
This reply was modified 7 months, 2 weeks ago by
-
7. The presence of the 7-Zip v18.01 shell extension (at least for the x64 version) is not as much of a security risk as I thought prior to today’s tests because issue #1 at https://www.askwoody.com/forums/topic/is-it-time-to-give-up-on-7-zip/#post-172133 shouldn’t actually be an issue (see conclusions #1 and #2).
-
8. I plan to keep using 7-Zip, although I am disappointed in the 7-Zip developer’s decisions that result in the 7-Zip exe’s not using ASLR, even if you use a program such as EMET on the 7-Zip exe’s.
-
This reply was modified 7 months, 2 weeks ago by
4 users thanked author for this post.
-
This reply was modified 7 months, 2 weeks ago by
-
This reply was modified 7 months, 2 weeks ago by
-
anonymousIf there’s one think I really hate, it’s when people say things like “What year is it @7zip ?? You guys still running on 90’s hardware??”. This should not be an excuse for bloating a program. I did not buy a faster CPU and more RAM so that developers could get lazy and bloat their applications. I bought them to run the same stuff, and more of it. It’s this kind of thinking that leads to Software bloat and feature creep.
That said, I still plan on using 7-zip. Nothing comes close to how efficient 7z is. Winrar is slow, and too much flash and bang, and Winzip is bloated. I do think he should enable those compiler switches, even if it adds a tiny bit of bloat, but hey, there’s tons of security holes I’m sure I’m open to these days since technology is all about shoveling in features instead of fixing problems.
1 user thanked author for this post.
-
anonymous“INSECURE shell extension is loaded into explorer.exe” Probably need a bit more elaboration on that. The 7Z DLL (7-zip.dll) contains a relocation table and is linked with dynamicbase, so ASLR should work. Maybe there is something else wrong with it.
It is the .exe files that has the relocation stripped, and not linked with dynamicbase. I’ll give the developer credit though. He knows the two go together. I’ve seen some others with dynamicbase but no relocation table, like VLC.
1 user thanked author for this post.
-
-
anonymous
-
-
-
I apologize if this is way after the date this was published; but I have 7-Zip, however, I more frequently use WinRAR. I have a version which was registered to my old (out-of-service) Windows Vista computer.
I downloaded the V4 version of WinRAR onto my new(er) computer running Windows 7 x64, and, as a try, input the registration code from the Vista version.
Hoky smokes, Bullwinkle. It took it.
[EDITED – pls refer to Lounge Rules] I have a version of 7-Zip, but for my purposes, are more attuned to using WinRAR.
Some of the semi-anonymous uploaders I utilize will not accept a .7z file – but will accept a .rar file. So that is the file compression scheme I prefer.
Learn what Bing prefers you not know about = https://v.gd/sdr28-
This reply was modified 6 days, 12 hours ago by
-
This reply was modified 6 days, 12 hours ago by
Keep AskWoody alive and free
Shop on Amazon by clicking on our affiliate link.
Buy anything, AskWoody gets a small bounty.
No charge to you, of course.
Recent Replies
-
MrJimPhelps on
1 minute ago -
6 minutes ago
-
GoneToPlaid on
7 minutes ago -
12 minutes ago
-
Noel Carboni on
12 minutes ago -
20 minutes ago
-
PKCano on
30 minutes ago -
anonymous on
33 minutes ago -
1 hour, 2 minutes ago
-
1 hour, 20 minutes ago
-
Microfix on
1 hour, 51 minutes ago -
geekdom on
1 hour, 58 minutes ago -
Mele20 on
2 hours, 56 minutes ago -
Pepsiboy on
4 hours, 2 minutes ago -
BobbyB on
4 hours, 14 minutes ago -
Rick Corbett on
5 hours, 15 minutes ago -
Kirsty on
6 hours, 58 minutes ago -
7 hours, 12 minutes ago
-
8 hours, 18 minutes ago
-
RamRod on
8 hours, 47 minutes ago