I’ve been a 7-Zip for for, like, forever. That’s why it pains me to report that several people — people who know what they’re doing — are taking 7-Z
[See the full post at: Is it time to give up on 7-Zip?]
|
There are isolated problems with current patches, but they are well-known and documented on this site. |
-
Is it time to give up on 7-Zip?
- This topic has 97 replies, 25 voices, and was last updated 4 years, 7 months ago.
AuthorViewing 32 reply threadsAuthor-
I don’t mean to be conspiratorial, but whenever I read that the author of a program like 7/Zip refuses to include essential security features in his product, I wonder if he was told not to include these features.
I have discussed this issue with Igor Pavlov and tried to convince him to enable all three flags. However, he refused to enable /DYNAMICBASE [the ASLR flag] because he prefers to ship the binaries without relocation table to achieve a minimal binary size. Moreover, he doesn’t want to enable /GS, because it could affect the runtime as well as the binary size.
From what I have heard many times, the US government (specifically the NSA) pressures companies to include back doors in their products.
Group "L" (Linux Mint)
with Windows 8.1 running in a VM -
-
He he, there are always other interested organizations in this sort of stuff, not only NSA.
The issue with the backdoors is that sooner or later, all those interested will find out and use those backdoors, not only the original sponsor. Sometimes even “script kiddies” take advantage when the backdoors are made public and the systems do not keep up with patching.
While it is not clear if those backdoors are allowed on purpose in the first place, based on current information it is safe to assume so.5 users thanked author for this post.
If not 7-Zip, then what other program that does what 7-Zip does AND doesn’t contain the security holes about which you are concerned? (Redundant of post entered before logging in and tagged as anonymous.)
2 users thanked author for this post.
-
From what I’ve read, 7-ZIP would not need to be replaced. It’s open-source, so anyone can recompile the source code with the added security. And EMET or Windows Exploit Protection may be able to provide sufficient protections if you are running the most up to date versions of 7-ZIP. In Linux, there’s AppArmor, which may be able to add similar protections to PeaZIP (which is based on the 7-ZIP binaries). I am not a security or coding expert, but it seems a fix could be developed and released as a derivative or fork of 7-ZIP. I doubt the author of 7-ZIP would object, as long as he gets due credit.
-- rc primak
-
How many regular users will know how to recompile the source code with the added security? How many will even think about these issues? The “regular folks”, who aren’t even aware of these issues, let alone capable of addressing them, are the ones I am concerned about.
Group "L" (Linux Mint)
with Windows 8.1 running in a VM1 user thanked author for this post.
-
Regular folks would not be aware of the need, or even know what it means to compile something… but if that’s really all it takes, someone out there could take the open-source code and simply compile it with the new compiler directives, and make that compiled product available to the public.
It’s kind of how I believe Waterfox got started… years ago, Mozilla did not offer any official 64-bit builds of Firefox for Windows, so MrAlex94 began to build the Firefox source into 64-bit binaries, so that end users who don’t have the resources or desire to compile it themselves can still benefit. I’m not sure what Mozilla’s reasoning was; they already offered 64-bit versions for Mac and Linux, and from the first moment I tried Waterfox (which only existed in 64-bit form) in Windows, it was more stable than 32-bit Firefox by far.
Now that Mozilla offers 64-bit Windows binaries, the focus of Waterfox has shifted, but in the beginning, it was all about it being compiled differently. The same could apply to 7-Zip, if there is any real demand for it.
Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
XPG Xenia 15, i7-9750H/16GB & GTX1660ti, KDE Neon
Acer Swift Go 14, i5-1335U/16GB, KDE Neon1 user thanked author for this post.
-
-
-
So I asked Stefan if he had a good alternative to 7-Zip, and this is what he said:
Windows (since ’95) NATIVE archive format .CAB: without delta compression it compresses almost as good as .7z, and with delta compression it performs BETTER than .7z.
Additionally .CAB archives can be digitally (authenticode) signed, which no other format offers (except .ZIP when used for OOXML or OpenXML format files), and both Windows’ SetupAPI and Windows, er, Microsoft Installer as well as the “component based servicing” can process their contents without unpacking the whole archive.
Unfortunately Microsoft does not offer to create .CAB archives in Windows Explorer; users need to call MAKECAB.exe on the command line or use IEXPRESS.exe.
So: .CAB for incoming files, especially installer packages (.MSU are .CAB archives, they just have another extension; .MSI and .MSP contain their payload as .CAB archives, as well as the self-extracting installers provided by Microsoft), and .ZIP for outgoing archives.
Developers and vendors should ALWAYS use and support the NATIVE archive format of the target OS, they should NEVER force their users/customers to install additional software to access or use files they distribute.
The arguments from https://skanthak.homepage.t-online.de/!execute.html apply here too: ALWAYS use the NATIVE format of the target OS, NEVER expect or force your users to jump through loops to access or use what you distribute. People who send/distribute .7z, .RAR, .ARJ or other “strange” formats to Windows users don’t want them to use what they provide.
That’s basically the KISS principle: keep it simple for your users, SAVE them from all possible hassle and additional vulnerabilities, be it “strange” archive formats or executable installers/self-extractors, which are almost always vulnerable, and seduce people to EXECUTE anything they get.
What do you think?
-
-
-
-
What Stefan would want you to do is use Microsoft’s native CABinet archive file format with Windows. Stefan is blind to the fact the IExpress utility & makecab programs aren’t widely known by most people to make a .CAB archive. There maybe too few to none other than Microsoft’s programs that can could make one. CAB files are still mostly a Microsoft internal use product.
Microsoft were wise to add .ZIP capabilities to explorer in part because of its ubiquity, it has been widely known since approximately the latter half of the 1980s. So you can ignore the advice for Windows. For GNU/Linux, Unix he generally right because many files are TARed & GZipped for distribution.
Did this clarify or create befuddlement in your brain?
1 user thanked author for this post.
-
-
The 7-Zip author has added the stronger AES-256 encryption as an archive option for the .zip format. ZipCrypto is the default, but if you choose the dropdown menu selector for ‘encryption method’, you will see that both choices are available.
AES-256 is the only encryption method choice for the .7z format.
Windows 10 Pro 22H2
-
-
That referenced lack of security was in regard to using 7-Zip as a Windows shell extension, and somebody possibly exploiting that.
The AES-256 encryption method is not related to that vulnerability and should not be affected.
Two different issues.
Windows 10 Pro 22H2
-
In their ivory towers, experts may have opinions, but the fact is that tools such as 7-zip that open a large variety of formats are needed because the OS simply doesn’t provide native support for all the formats.
Ever download a .tar.gz file from, say, an open source library site? It’s in that format because (surprise) the world doesn’t revolve around Microsoft. I assume the answer will be yes as it is for so many of us. If so, what did you use to open it?
And regarding “native” support for .CAB… The underlying SDK APIs to access CAB files were already outdated at the turn of the millenium. Now they’re positively ancient. I know because we’ve coded software to create .CAB files to contain submitted error reports recently.
I have to ask: Are a lot of people being infected by 7-zip? “Theoretical” vulnerabilities do serve to help people improve products, but is 7-zip really proving worthy of such worry?
-Noel
Delta compression cab or better known as Intra Package Delta is an exclusive for Microsoft updates, it’s not available in Windows and no one can create it but them
as i pointed, even Microsoft uses 7z library to pack .NET executable updates
7Zip exploit protection settings recommendation
https://malwaretips.com/threads/7zip-exploit-protection-settings-recommendation.76887/
(etc) …
That was me, in the below Anonymous Posting (#171747)
— rc primak —
-- rc primak
-
-
Comment from landave: “While mandatory ASLR is a nice feature (and will be supported by Windows 10 even without EMET), it will not work for binaries with stripped relocation table. Igor seems to do exactly this to reduce the size of the binary.
Also, EMET cannot give you stack canaries if the binary is not compiled with /GS.”
3 users thanked author for this post.
7Zip exploit protection settings recommendation
https://malwaretips.com/threads/7zip-exploit-protection-settings-recommendation.76887/
So, with either EMET or Exploit Guard, MS Windows can be configured to make 7-ZIP adhere to the recommended security protocols. So what’s the flap about?
In Linux, AppArmor can provide similar protection to PeaZip, which is based on 7-ZIP’s binaries.
Or you can go out, get the binary’s source code, add ASLR and other security .dll’s (or whatever Linux uses), and recompile your own secure version of 7-ZIP and PeaZIP. And if anyone does this, hopefully they will share the resulting package with the rest of us.
Thankfully it is open and people with knowledge can recompile it to their liking. 7-zip compression is used in software deployment, hopefully the software engineers will see have this and do what is necessary to make it a little more secure.
Their are not many software solutions that can compress like 7-zip. 🙁
1 user thanked author for this post.
-
-
The power went out at my office just about the time that you posted with “their”. Does that count? 😉
1 user thanked author for this post.
-
7 Zip wow haven’t used that in a while. I remember it being included in some HP PC if I am not mistaken. These days I just use the built in unzipper in Windows 10 for what I need. Its not unfamiliar to me though, plenty of PC’s I work on still have it installed.
1 user thanked author for this post.
While I appreciate the news in the first place, I think that there is an over-reaction here. There are enterprise products which still do not implement ASLR or recommend disabling it for performance reasons, so targeting 7-zip here is unfair at least. There are boundaries to what is and what is not a critical security issue. And the fact that a Microsoft rep recommends implementing Microsoft security technologies built-in Windows is not something new. It is certainly preferable to have those technologies in place, but the lack of them does not inherently make a product insecure.
My first thought on this is that maybe the author knows more about what he’s doing than the folks “pressuring” him to enable switches that may have downsides.
Imagine, for example, a compile/link switch that makes the code measurably less efficient, but does not really provide any substantial benefit when considering how the product actually works. Who would want such a switch thrown? Those who would benefit from selling people new hardware?
It is my considered opinion that computer security, as discussed by the public, is more marketing and hype than substance.
-Noel
Anyone caught by the ridiculous security hysteria spread by utterly useless zealots and talking-heads should download the 7-Zip source code, fix all security bugs, if any, apply the ‘security’ compiler switches recommended by Microsoft (even if Microsoft does not compile quite a number of their own executables with those switches — just look at Windows 10, the ‘most secure’ Windows…), and compile 7-Zip… And… the folks at Microsoft better shut up…
1 user thanked author for this post.
I really like 7-Zip, having used it reliably since XP days.
Would using 7-Zip in a sandbox or VM allow you to check for any malware in the files being opened before moving them to your system? I really like the concept of Qubes OS, where your operating system is separate from the program running in it, and you can separate out the different programs, too. It doesn’t have the novice user friendliness of Windows or Linux Mint, but the idea of not letting programs run promiscuously with your OS really appeals to me for basic safety and security reasons.
Do other products do the same thing, or have they incorporated fixes? I’d hate to move from one product that has been checked closely, to another product that looks better, because no one bothered to check it out yet.
Non-techy Win 10 Pro and Linux Mint experimenter
-
-
@OscarCP-
As this is getting off topic of 7-Zip… may I refer you to ‘An Introduction to Qubes OS’: https://www.qubes-os.org/intro/
I don’t have the technical answers… but the concept of running everything in separate compartments, but easily available on the desktop, appeals to me. I can put the programs I run in separate Qubes with individualized security settings. They utilize single use, disposible Qubes for opening attachments. Exactly how that is done is beyond me, but Qubes is showing up frequently in searches for the best security based Linux distros.
It is one of the free and open source distros I am exploring prior to end of life for Win 7. I’d be interested in a more detailed, techy take on this. This might be a subject to open in the Linux for Window Wonks forum.
Non-techy Win 10 Pro and Linux Mint experimenter
-
Thanks Elly. The link in your reply to my question makes things more clear: various types of applications run on their own and separate virtual machines (VMs), called “qubes”, and these run, in turn, on a Linux-type OS that does not talk to the outside world (except, I imagine, through the keyboard and mouse of the superuser), only the qube VMs do. This makes it, somehow, very hard to infect this submarine OS with malware that comes in from the Internet or some contaminated media in disks or USB memory sticks, etc. All that will go into some qube or qubes instead, where it can be contained by putting in quarantine the infected qube.
This looks like something worthy of further discussion in one of the Linux streams at Woody’s, particularly for those of us looking for alternatives to Windows 7, when it reaches its end of life in less than two years from now.
Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).
MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV1 user thanked author for this post.
-
@ OscarCP- That gives a pretty good description of how Qubes is set up… thank you, as it helped me visualize it better in my own mind.
Non-techy Win 10 Pro and Linux Mint experimenter
-
-
-
The problem with 7Zip is that the encryption is not very strong. Therefore the danger is, if you email a sensitive document that has been encrypted by 7Zip, the encryption could be broken and the document read by a non-authorized person.
Strong encryption would allow you to zip any document, encrypt it, and email it, without having to worry about anyone being able to read it.
WinZip has strong encryption. I use it whenever I have to send a sensitive document. But based on this article, I won’t be using 7Zip.
I like the idea behind Qubes – a separate, isolated sandbox for each OS you want to run; but I never could figure it out, so I finally uninstalled it.
Jim
Group "L" (Linux Mint)
with Windows 8.1 running in a VM-
Thank you for translating what those problematic processes actually do. I respect encryption, and believe in privacy, so that would be important for me.
You have been experimenting with Linux, too… I have difficulty determining whether it is myself, or the OS that is lacking… and tend to blame myself. You are successful with Linux Mint, I think… and that gives me hope, to keep on experimenting.
Non-techy Win 10 Pro and Linux Mint experimenter
-
Create yourself a Linux Live flash drive with persistent storage. I recommend that you choose Linux Mint xfce, and pick the 32-bit or 64-bit version, depending on how much memory you have. (4 GB — 32-bit; 8 or more GB – 64-bit).
Then try it out for a while, to see what you think of it.
You could do the same for Ubuntu and other Linux distros.
Jim
Group "L" (Linux Mint)
with Windows 8.1 running in a VM1 user thanked author for this post.
-
It does have some hardware requirements, check their information.
Check also Qubes OS Tutorials by Switched to Linux on YouTube.
1 user thanked author for this post.
The 7z archive format requires strong AES-256 encryption.
“There are actually two types of Zip file encryption. The older Zip 2.0 encryption is extremely insecure, while the newer AES encryption is fairly secure.”
More here:
Windows 10 Pro 22H2
-
So it is a problem with the ‘envelope’ rather than the letter inside?
Non-techy Win 10 Pro and Linux Mint experimenter
-
Correct :).
1 user thanked author for this post.
-
I will not 🙂
4 users thanked author for this post.
Woody’s post mentions Stefan Kanthak’s concern because 7-Zip installs (or at least can install) a Windows Explorer shell extension. Here is the reason that using a Windows Explorer shell extension that doesn’t use the appropriate security measures is bad news: Quickpost: “It Does No Harm…” or Does It?
5 users thanked author for this post.
-
There are two ways in which the presence of the 7-Zip shell extension can be a security concern:
1. The presence of a non-ASLR DLL in whatever processes the 7-Zip shell extension DLL is used in (such as explorer.exe) means that 7-Zip code is available in predictable memory locations in those process(es), which can let an exploit use return-oriented programming gadgets.
2. If there is a vulnerability in the 7-Zip shell extension DLL, then it might be possible that this vulnerable code could be triggered in Windows/File Explorer (or whatever other processes the 7-Zip shell extension DLL is used in) if a specially-crafted archive file is present without even opening it, in a manner similar to what is described here.
1 user thanked author for this post.
From Security-Risk: Avoid 7-Zip: “Let’s get to the beef of this article. The developer of this tool refuse to hardening its software against unknown security vulnerabilities. To harden software with respect to the exploitability of unknown vulnerabilities, developers can specify different options when linking modules to an executable binary file. This Microsoft document introduces two such options for improving application security. There are other techniques (like compiler options to check for buffer overflow in executable code) of this kind, some of which have been known for many years.”
1 user thanked author for this post.
-
The danger is that exploitation of 7-Zip code using a specially-crafted archive file could be easier because the 7-Zip developer isn’t using some anti-exploit features.
1 user thanked author for this post.
The solution seems simple and was proposed early on in the these comments about the issue. Someone who knows what they are doing needs to recompile the 7-zip source code with the necessary switches and see if the resulting executable is stable and functional. If so, release it to the public (with all the appropriate credit to the original author). Igor will quickly see that most will choose the new version over the old if given a choice when downloading 7-zip.
Most users do not compress files with a stopwatch in their hand and don’t really care about max speed over security and functionality – free, useful and reliable is all that most care about.
With billions of internet users and millions using 7-zip including 3rd party vendors making use of 7-zip functionality, someone must have recompiled it by now…
-
-
-
The code and memory mitigations of HitmanPro.Alert are available on a per application basis, and include hardware assisted Control-Flow Integrity on supported CPUs.
Windows 10 Pro 22H2
1 user thanked author for this post.
-
-
From Woody’s post:
I’m not so concerned about individual, manual use, but the incorporation of 7-Zip binaries into other packages. An anonymous poster here on AskWoody came up with a long list of other packages that rely on 7-Zip, including WinRAR, Flash, and some .NET applications.I’m the “anonymous” who posted the said list of 3rd-party software that use standalone or embedded 7-zip libraries. It isn’t a comprehensive list (more an outline), but may perhaps provide an idea of how large the potential attack surface area could be.
Before that, I also highlighted (31 Jan 2018) in the same forum thread that 7-zip v18.01 stable (29 Jan 2018) may not have included a fix for the ADSL security vulnerability, since the changelog makes no mention of it. (And neither does the latest v18.02 beta [03 Mar 2018] include the said fix.)
At that time, nobody seemed to be talking about this issue. But I was/am curious to know about the possible impacts of leaving the ADSL vulnerability unfixed, & what precautions I can take wrt malformed archive files from external sources.
Taking 7-zip as an example, its “extra” package (which contains the commandline EXE & DLL plugins) is offered as a 7z download. And 7-zip’s official website & downloads are strictly HTTP, which makes them susceptible to MitM compromises. Would scanning malformed archive files with malware scanner flag them as malicious ?
Note: I’ve no IT training & can’t read source-code — much less compile a software. I’m just a daily end-user of 7-zip & numerous 3rd-party software that use 7-zip libraries.
I also mentioned in the the aforementioned 7-zip thread that Landave (the security researcher who blogged about 7-zip’s vulnerabilities) did compile 7-zip with fixes for all the known security vulnerabilities in Jan 2018.
And the resulting increase in binary size is apparently just 8-9 KB — contrary to 7-zip developer’s concern that doing so would bloat the binary.
-
Microsoft itself uses 7z to package .NET updates/releases, including the Offline Installer for all OSs, and rollup updates for Windows 7 and Vista
1 user thanked author for this post.
Noel Carboni said:
My first thought on this is that maybe the author knows more about what he’s doing than the folks “pressuring” him to enable switches that may have downsides.MrJimPhelps said:
whenever I read that the author of a program like 7/Zip refuses to include essential security features in his product, I wonder if he was told not to include these features.7-zip’s developer did explain why he does not want to fix the issues that make 7-zip less secure. That’s because years before Landave blogged about it, there were already users who noticed the same issues with 7-zip.
Back in Mar 2012, there was a user request for ASLR (Address Space Layout Randomization) & DEP (Executable Space Protection) to be enabled in 7-zip.
The developer’s response was:
I suppose that problem is more complex than just compiler switch. No time for these things now. Maybe later I’ll look it. I still use old compiler for 32-bit version.
And elsewhere on Twitterverse (13 May 2016):
https://twitter.com/ericlaw/status/731178499424329728
It’s important to upgrade 7zip to v16 to avoid security bugs. Get the unsigned, DLL hijackable installer via HTTP…and be aware that ASLR is disabled and 7-zip doesn’t work with SmartScreen/Windows security.
More recently in Sep 2017, another 2 users raised the same request with 7-zip’s developer. His response is quoted as follows:
It’s not BUG. It’s feature or missing of feature.
7-Zip doesn’t use ASLR. Files are smaller so. ASLR is new feature. I use old [compilers] and linkers without ASLR support. I can compile with /FIXED:NO and patch for ASLR flag with another tool. But ASLR is just some additional level of protection. There is no big gain from it.
DEP is good thing. But it’s [unclear] for me why there is 32-bit and 64-bit code difference.
As for the “files are smaller so” remark, 7-zip with ASLR enabled is a mere 8-9 KB (kilobytes) larger — as I’d mentioned earlier on.
The conclusion from the author of an exploit of a 2016 7-Zip vulnerability: “Still lack of current standard mitigations in some products makes exploitation significantly easier.”
1 user thanked author for this post.
-
The included “Popular Software.xml” template includes 7-Zip; see http://www.windowsmanagementexperts.com/emet-enhanced-mitigation-experience-toolkit/emet-enhanced-mitigation-experience-toolkit.htm for more details. If you choose not to use that template, then see EMET mitigations guidelines.
Since 7-Zip can install a shell extension, you may also wish to consider using EMET on whatever processes the 7-Zip shell extension DLL is used in.
1 user thanked author for this post.
-
-
You can turn off the shell integration in 7z if you wish. I have! 🙂
Windows 10 Pro 22H2
3 users thanked author for this post.
-
-
-
My preferred way of verifying a downloaded/unzipped executable file is to check it with VirusTotal.
There is a handy little free utility from Nirsoft, ‘HashMyFiles’, that has an option to ‘Enable Explorer Context Menu – Virus Total’. That make VirusTotal a completely integrated solution from within Windows file explorer.
Just right click on any file in Windows explorer and select ‘Open in VirusTotal Web Site’. The file hash is transmitted to VirusTotal and your browser will be presented with the score from multiple AV engines if it is a previously submitted sample. If the sample is new, you can upload the entire file for ananlysis as long as it is under 128MB.
http://www.nirsoft.net/utils/hash_my_files.html
Highly recommended! 🙂
Windows 10 Pro 22H2
1 user thanked author for this post.
-
I did tests on a Windows 7 x64 virtual machine using 7-Zip v18.01 x64 and x86 and setdllcharacteristics v0.0.0.1. setdllcharacteristics results for 7-Zip v18.01 x64: https://pastebin.com/h3M2zaUm. setdllcharacteristics results for 7-Zip v18.01 x86: https://pastebin.com/4zfdqmyX. For all files, the DEP switch (NX_COMPAT) is set to 1; this is good news. For all .dll files, the ASLR switch (DYNAMIC_BASE) is set to 1; this is good news. For all .exe and .sfx files, the ASLR switch (DYNAMIC_BASE) is set to 0; this is bad news but not unexpected.
I also did tests using 7-Zip v18.01 x64, Process Explorer v16.21 (DEP column in upper pane; ASLR and Base Address columns in lower pane), and EMET v5.52. See https://blog.didierstevens.com/2011/01/18/quickpost-checking-aslr/ and http://www.itprotoday.com/security/q-how-can-i-check-effect-windows-address-space-layout-randomization-aslr-feature-windows for more details.
My conclusions:
1. For the 7-Zip v18.01 x64 shell extension, ASLR for explorer.exe’s 7-zip.dll works according to Process Explorer (both the ASLR and Base Address columns); the Base Address field for explorer.exe’s 7-zip.dll changed from one boot to another boot. This is good news.
2. For the 7-Zip v18.01 x86 shell extension, I didn’t test with Process Explorer, but the setdllcharacteristics results for 7-Zip v18.01 x86’s DLL files are encouraging.
3. Using setdllcharacteristics to change the ASLR switch (DYNAMIC_BASE) of 7-Zip v18.01 x64 file manager (7zFM.exe) doesn’t have any security effect according to Process Explorer Base Address tests. This is not surprising per https://www.askwoody.com/forums/topic/is-it-time-to-give-up-on-7-zip/#post-171967. But if you want to try anyway, see one of the comments at http://www.dslreports.com/forum/r30754614-Flawed-7-Zip-compression-tool-opens-systems-to-hack-Update-it-now.
4. EMET’s Mandatory ASLR mitigation doesn’t have any effect for the 7-Zip v18.01 x64 file manager (7zFM.exe) according to Process Explorer Base Address tests. This is not surprising per https://www.askwoody.com/forums/topic/is-it-time-to-give-up-on-7-zip/#post-171967. However, it’s still a good idea to use EMET for 7-Zip’s .exe files because of EMET’s other mitigations.
5. DEP is on for the 7-Zip v18.01 x64 file manager (7zFM.exe) according to Process Explorer; this is good news but not unexpected because according to https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip/, “At least he will try to enable /NXCOMPAT for the next release.”
-
6. Lack of ASLR support for the 7-Zip file manager (7zFM.exe) is a security issue. The same is probably true for the other 7-Zip .exe files.
1 user thanked author for this post.
-
7. The presence of the 7-Zip v18.01 shell extension (at least for the x64 version) is not as much of a security risk as I thought prior to today’s tests because issue #1 at https://www.askwoody.com/forums/topic/is-it-time-to-give-up-on-7-zip/#post-172133 shouldn’t actually be an issue (see conclusions #1 and #2).
-
8. I plan to keep using 7-Zip, although I am disappointed in the 7-Zip developer’s decisions that result in the 7-Zip exe’s not using ASLR, even if you use a program such as EMET on the 7-Zip exe’s.
4 users thanked author for this post.
If there’s one think I really hate, it’s when people say things like “What year is it @7zip ?? You guys still running on 90’s hardware??”. This should not be an excuse for bloating a program. I did not buy a faster CPU and more RAM so that developers could get lazy and bloat their applications. I bought them to run the same stuff, and more of it. It’s this kind of thinking that leads to Software bloat and feature creep.
That said, I still plan on using 7-zip. Nothing comes close to how efficient 7z is. Winrar is slow, and too much flash and bang, and Winzip is bloated. I do think he should enable those compiler switches, even if it adds a tiny bit of bloat, but hey, there’s tons of security holes I’m sure I’m open to these days since technology is all about shoveling in features instead of fixing problems.
1 user thanked author for this post.
“INSECURE shell extension is loaded into explorer.exe” Probably need a bit more elaboration on that. The 7Z DLL (7-zip.dll) contains a relocation table and is linked with dynamicbase, so ASLR should work. Maybe there is something else wrong with it.
It is the .exe files that has the relocation stripped, and not linked with dynamicbase. I’ll give the developer credit though. He knows the two go together. I’ve seen some others with dynamicbase but no relocation table, like VLC.
1 user thanked author for this post.
Viewing 32 reply threads
Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Recent Topics
-
Just a fyi – I think I’ll skip on an Apple Vision Pro hardware section
by 5 hours, 44 minutes ago
-
What’s wrong with Windows 11?
by 3 hours, 54 minutes ago
-
Streaming an iPad to a standard TV
by 1 hour, 35 minutes ago
-
clone to make backup laptop
by 10 hours, 25 minutes ago
-
Problems with sound and USB ports
by 9 hours, 50 minutes ago
-
Can you use WUShowHide on Windows 11 version 21H2?
by 6 hours, 18 minutes ago
-
Can we control the changes to our operating systems?
by 6 hours, 19 minutes ago
-
Watch out for fake ‘Windows Defender’ scare
by 5 hours, 40 minutes ago
-
Diagnostics and testing? Get it all done in a flash.
by 54 minutes ago
-
Dip your toe into Visio Online
by 9 hours, 59 minutes ago
-
Updating Win 10 Pro 21H2 to 22H2
by 8 hours, 1 minute ago
-
Changing mouse pointer options.
by 11 hours, 17 minutes ago
-
Desktop or Laptop? What’s your choice?
by 2 hours, 1 minute ago
-
Anyone use Auslogics Bitreplica
by 1 day, 21 hours ago
-
Unleashing the Gaming Revolution: CrossOver Mac’s DirectX 12 Support Update!
by 2 days, 10 hours ago
-
Defender’s Offline Scan Fails to Run
by 1 day, 16 hours ago
-
Mouse problem : cannot grab a window without maximizing it
by 1 day, 23 hours ago
-
End of support for Cortana in Windows
by 1 day, 9 hours ago
-
Microsoft is really missing an advertising trick
by 2 days, 9 hours ago
-
New MOVEit Transfer zero-day mass-exploited in data theft attacks
by 3 days, 9 hours ago
-
Windows 11 Insider Preview build 25381 released to Canary
by 3 days, 9 hours ago
-
Authenticating Email Address
by 3 hours, 26 minutes ago
-
Confusion about password protecting a folder in W10
by 3 days, 11 hours ago
-
I broke my right arm yesterday
by 1 day, 12 hours ago
-
Kaspersky : iOS devices targeted with previously unknown malware
by 3 days, 8 hours ago
-
Which Updates From Each List Are Safe to Install ?
by 1 day ago
-
AOL changes its web based email
by 3 days, 7 hours ago
-
Windows 11 Insider Preview build 23471 released to DEV
by 4 days, 9 hours ago
-
Windows 11 Insider Preview Build 22621.1830 and 22624.1830 released to BETA
by 4 days, 9 hours ago
-
Spyboy Defense Evasion Tool Advertised Online
by 4 days, 17 hours ago
