• Is it time to give up on 7-Zip?

    Home » Forums » Newsletter and Homepage topics » Is it time to give up on 7-Zip?

    Author
    Topic
    #171717

    I’ve been a 7-Zip for for, like, forever. That’s why it pains me to report that several people — people who know what they’re doing — are taking 7-Z
    [See the full post at: Is it time to give up on 7-Zip?]

    6 users thanked author for this post.
    Viewing 32 reply threads
    Author
    Replies
    • #171723

      I don’t mean to be conspiratorial, but whenever I read that the author of a program like 7/Zip refuses to include essential security features in his product, I wonder if he was told not to include these features.

      I have discussed this issue with Igor Pavlov and tried to convince him to enable all three flags. However, he refused to enable /DYNAMICBASE [the ASLR flag] because he prefers to ship the binaries without relocation table to achieve a minimal binary size. Moreover, he doesn’t want to enable /GS, because it could affect the runtime as well as the binary size.

      From what I have heard many times, the US government (specifically the NSA) pressures companies to include back doors in their products.

      Group "L" (Linux Mint)
      with Windows 8.1 running in a VM
      2 users thanked author for this post.
      • #171724

        Fascinating. It never crossed my mind. But now that you mention it…

      • #171790

        He he, there are always other interested organizations in this sort of stuff, not only NSA.
        The issue with the backdoors is that sooner or later, all those interested will find out and use those backdoors, not only the original sponsor. Sometimes even “script kiddies” take advantage when the backdoors are made public and the systems do not keep up with patching.
        While it is not clear if those backdoors are allowed on purpose in the first place, based on current information it is safe to assume so.

        5 users thanked author for this post.
    • #171732

      If not 7-Zip, then what other program that does what 7-Zip does AND doesn’t contain the security holes about which you are concerned? (Redundant of post entered before logging in and tagged as anonymous.)

      2 users thanked author for this post.
      • #171755

        From what I’ve read, 7-ZIP would not need to be replaced. It’s open-source, so anyone can recompile the source code with the added security. And EMET or Windows Exploit Protection may be able to provide sufficient protections if you are running the most up to date versions of 7-ZIP. In Linux, there’s AppArmor, which may be able to add similar protections to PeaZIP (which is based on the 7-ZIP binaries).  I am not a security or coding expert, but it seems a fix could be developed and released as a derivative or fork of 7-ZIP.  I doubt the author of 7-ZIP would object, as long as he gets due credit.

        -- rc primak

        6 users thanked author for this post.
        • #171762

          How many regular users will know how to recompile the source code with the added security? How many will even think about these issues? The “regular folks”, who aren’t even aware of these issues, let alone capable of addressing them, are the ones I am concerned about.

          Group "L" (Linux Mint)
          with Windows 8.1 running in a VM
          1 user thanked author for this post.
          • #171815

            Regular folks would not be aware of the need, or even know what it means to compile something… but if that’s really all it takes, someone out there could take the open-source code and simply compile it with the new compiler directives, and make that compiled product available to the public.

            It’s kind of how I believe Waterfox got started… years ago, Mozilla did not offer any official 64-bit builds of Firefox for Windows, so MrAlex94 began to build the Firefox source into 64-bit binaries, so that end users who don’t have the resources or desire to compile it themselves can still benefit.  I’m not sure what Mozilla’s reasoning was; they already offered 64-bit versions for Mac and Linux, and from the first moment I tried Waterfox (which only existed in 64-bit form) in Windows, it was more stable than 32-bit Firefox by far.

            Now that Mozilla offers 64-bit Windows binaries, the focus of Waterfox has shifted, but in the beginning, it was all about it being compiled differently.  The same could apply to 7-Zip, if there is any real demand for it.

             

            Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
            XPG Xenia 15, i7-9750H/16GB & GTX1660ti, KDE Neon
            Acer Swift Go 14, i5-1335U/16GB, KDE Neon

            1 user thanked author for this post.
          • #171948

            Regular users are more vulnerable because they are likely to search on ‘7-zip’ and download the first search return. This is likely to be 7-Zip and not a derivative. Technically adept users aware of the problem are likely to seek an alternative. As Ascaris noted, someone else could take on the chore of making the necessary changes and compilation and release it to the public so hopefully very few would ever actually do the compilation on any OS.

      • #172103

        So I asked Stefan if he had a good alternative to 7-Zip, and this is what he said:

        Windows (since ’95) NATIVE archive format .CAB: without delta compression it compresses almost as good as .7z, and with delta compression it performs BETTER than .7z.

        Additionally .CAB archives can be digitally (authenticode) signed, which no other format offers (except .ZIP when used for OOXML or OpenXML format files), and both Windows’ SetupAPI and Windows, er, Microsoft Installer as well as the “component based servicing” can process their contents without unpacking the whole archive.

        Unfortunately Microsoft does not offer to create .CAB archives in Windows Explorer; users need to call MAKECAB.exe on the command line or use IEXPRESS.exe.

        So: .CAB for incoming files, especially installer packages (.MSU are .CAB archives, they just have another extension; .MSI and .MSP contain their payload as .CAB archives, as well as the self-extracting installers provided by Microsoft), and .ZIP for outgoing archives.

        Developers and vendors should ALWAYS use and support the NATIVE archive format of the target OS, they should NEVER force their users/customers to install additional software to access or use files they distribute.

        The arguments from https://skanthak.homepage.t-online.de/!execute.html apply here too: ALWAYS use the NATIVE format of the target OS, NEVER expect or force your users to jump through loops to access or use what you distribute. People who send/distribute .7z, .RAR, .ARJ or other “strange” formats to Windows users don’t want them to use what they provide.

        That’s basically the KISS principle: keep it simple for your users, SAVE them from all possible hassle and additional vulnerabilities, be it “strange” archive formats or executable installers/self-extractors, which are almost always vulnerable, and seduce people to EXECUTE anything they get.

        What do you think?

        7 users thanked author for this post.
        • #172205

          Before there were CABinet files for general public use, ZIP files became the standard for DOS (ACE, ZOO, ARJ & and a few others were competition). Many more people may know how create and extract the .ZIP file extension contents so it is better to use that for most cases if you do not wish to explain yourself. 🙂

          The ability to sign a .CAB file, an advantage if the distributor of the package is honest.

        • #172230

          WOW!, ARJ Software still exists and on the FAQ page question ‘k’ makes it clear there is another signed archive format.

        • #172301

          Am I being thick(er)?

          I’ve “always” used Windows built-in function for both opening and creating zip files.

          What am I missing here?

          https://support.microsoft.com/en-us/help/14200/windows-compress-uncompress-zip-files

          • #172512

            What Stefan would want you to do is use Microsoft’s native CABinet archive file format with Windows. Stefan is blind to the fact the IExpress utility & makecab programs aren’t widely known by most people to make a .CAB archive. There maybe too few to none other than Microsoft’s programs that can could make one. CAB files are still mostly a Microsoft internal use product.

            Microsoft were wise to add .ZIP capabilities to explorer in part because of its ubiquity, it has been widely known since approximately the latter half of the 1980s. So you can ignore the advice for Windows. For GNU/Linux, Unix he generally right because many files are TARed & GZipped for distribution.

            Did this clarify or create befuddlement in your brain?

            1 user thanked author for this post.
        • #172456

          Encryption is one of the two issues here, that is, the ability to encrypt a document so as to prevent unauthorized people from reading it, because the author chose not to include the more secure encryption in 7Zip.

          The other issue is the ability of someone to tamper with your zipped document.

          WinZip has excellent encryption. So using WinZip would address both of these concerns.

          Group "L" (Linux Mint)
          with Windows 8.1 running in a VM
          • #172469

            The 7-Zip author has added the stronger AES-256 encryption as an archive option for the .zip format.  ZipCrypto is the default, but if you choose the dropdown menu selector for ‘encryption method’, you will see that both choices are available.

            AES-256 is the only encryption method choice for the .7z format.

            Windows 10 Pro 22H2

            • #172494

              In the original post, Woody put the following quote:

              I have discussed this issue with Igor Pavlov and tried to convince him to enable all three flags. However, he refused to enable /DYNAMICBASE [the ASLR flag] because he prefers to ship the binaries without relocation table to achieve a minimal binary size. Moreover, he doesn’t want to enable /GS, because it could affect the runtime as well as the binary size.

              Are you saying that these are not valid security concerns?

              Group "L" (Linux Mint)
              with Windows 8.1 running in a VM
            • #172571

              That referenced lack of security was in regard to using 7-Zip as a Windows shell extension, and somebody possibly exploiting that.

              The AES-256 encryption method is not related to that vulnerability and should not be affected.

              Two different issues.

              Windows 10 Pro 22H2

        • #172467

          In their ivory towers, experts may have opinions, but the fact is that tools such as 7-zip that open a large variety of formats are needed because the OS simply doesn’t provide native support for all the formats.

          Ever download a .tar.gz file from, say, an open source library site? It’s in that format because (surprise) the world doesn’t revolve around Microsoft. I assume the answer will be yes as it is for so many of us. If so, what did you use to open it?

          And regarding “native” support for .CAB… The underlying SDK APIs to access CAB files were already outdated at the turn of the millenium. Now they’re positively ancient. I know because we’ve coded software to create .CAB files to contain submitted error reports recently.

          I have to ask: Are a lot of people being infected by 7-zip? “Theoretical” vulnerabilities do serve to help people improve products, but is 7-zip really proving worthy of such worry?

          -Noel

          4 users thanked author for this post.
      • #172123

        Delta compression cab or better known as Intra Package Delta is an exclusive for Microsoft updates, it’s not available in Windows and no one can create it but them

        as i pointed, even Microsoft uses 7z library to pack .NET executable updates

        5 users thanked author for this post.
    • #171751

      7Zip exploit protection settings recommendation

      https://malwaretips.com/threads/7zip-exploit-protection-settings-recommendation.76887/

      (etc) …

      That was me, in the below Anonymous Posting (#171747)

      — rc primak —

       

      -- rc primak

      3 users thanked author for this post.
      • #171836

        but the last post in your cited link is from last year

        what about version 18 this year?

      • #171967

        Comment from landave: “While mandatory ASLR is a nice feature (and will be supported by Windows 10 even without EMET), it will not work for binaries with stripped relocation table. Igor seems to do exactly this to reduce the size of the binary.

        Also, EMET cannot give you stack canaries if the binary is not compiled with /GS.”

        3 users thanked author for this post.
    • #171747

      7Zip exploit protection settings recommendation

      https://malwaretips.com/threads/7zip-exploit-protection-settings-recommendation.76887/

      So, with either EMET or Exploit Guard, MS Windows can be configured to make 7-ZIP adhere to the recommended security protocols. So what’s the flap about?

      In Linux, AppArmor can provide similar protection to PeaZip, which is based on 7-ZIP’s binaries.

      Or you can go out, get the binary’s source code, add ASLR and other security .dll’s (or whatever Linux uses), and recompile your own secure version of 7-ZIP and PeaZIP. And if anyone does this, hopefully they will share the resulting package with the rest of us.

      2 users thanked author for this post.
    • #171749

      Thankfully it is open and people with knowledge can recompile it to their liking. 7-zip compression is used in software deployment, hopefully the software engineers will see have this and do what is necessary to make it a little more secure.

      Their are not many software solutions that can compress like 7-zip. 🙁

      1 user thanked author for this post.
    • #171765

      7 Zip wow haven’t used that in a while. I remember it being included in some HP PC if I am not mistaken. These days I just use the built in unzipper in Windows 10 for what I need. Its not unfamiliar to me though, plenty of PC’s I work on still have it installed.

      1 user thanked author for this post.
      • #171801

        These days I just use the built in unzipper in Windows 10 for what I need.

        I know what you mean; for ad hoc compression and decompression of .zip files I often do the same.

        But it’s really just another case where a convenient, mediocre solution eclipses an elegant one.

        I’m reminded of the scene in the film “Contact”, where the “Bill Gates” like character H. R. Hadden is explaining to Dr. Eleanor Arroway that the alien culture is highly advanced, which of course means “efficient functioning on multiple levels”.

        How is anything that’s actually happening in our real world taking us toward that ideal?

        -Noel

        • #171837

          can you do a compressed file preview without 7zip in w10?

          • #172238

            You should be able to double click a ZIP archive and see file and navigate the contained directory structure. I think using Windows explorer you have to decompress a single file somewhere else to view the contents.

      • #171863

        @jescott418 yep same here The only piece of crudware that came to me with a brand new HP machine that I ever liked or kept, OS excepted.
        What’s not to like about 7zip its fast, its a one stop deal for me with zip handling, if 7zip cant do it then its probably not worth doing. The only limitations with it I can see is it doesent go and get me a cold Beer out the fridge and brew a nice cup of tea, maybe later versions eh Igor?

    • #171783

      That just sucks. I use 7-zip to compress things into RAR and 7z files (For ZIP files, File Explorer does the job just fine), and I shun other programs like WinZIP and WinRAR because why have a zillion programs to do the same thing when one can do it all (without ads and without the annoying trial period popup in WinRAR)?

      I guess the other awesome thing about 7-Zip is that it’s open source, but that doesn’t mean an awful lot to non-programming experts like me, other than the reassurance that the code lives on when the coder moves on.

    • #171794

      While I appreciate the news in the first place, I think that there is an over-reaction here. There are enterprise products which still do not implement ASLR or recommend disabling it for performance reasons, so targeting 7-zip here is unfair at least. There are boundaries to what is and what is not a critical security issue. And the fact that a Microsoft rep recommends implementing Microsoft security technologies built-in Windows is not something new. It is certainly preferable to have those technologies in place, but the lack of them does not inherently make a product insecure.

      11 users thanked author for this post.
    • #171796

      My first thought on this is that maybe the author knows more about what he’s doing than the folks “pressuring” him to enable switches that may have downsides.

      Imagine, for example, a compile/link switch that makes the code measurably less efficient, but does not really provide any substantial benefit when considering how the product actually works. Who would want such a switch thrown? Those who would benefit from selling people new hardware?

      It is my considered opinion that computer security, as discussed by the public, is more marketing and hype than substance.

      -Noel

      9 users thanked author for this post.
    • #171802

      If I need to encrypt something, I use WinZip. From what I understand, it has very good encryption built in.

      Group "L" (Linux Mint)
      with Windows 8.1 running in a VM
      3 users thanked author for this post.
      • #172000

        So glad to see someone finally mention Winzip.  I’ve used Winzip for decades myself with no problems, and it is compatible with most other compression programs, Windows included.  It’s not free, but you can still use it after the trial period.

        Experience is that marvelous thing that enables you recognize a mistake as soon as you make it again.

    • #171804

      Anyone caught by the ridiculous security hysteria spread by utterly useless zealots and talking-heads should download the 7-Zip source code, fix all security bugs, if any, apply the ‘security’ compiler switches recommended by Microsoft (even if Microsoft does not compile quite a number of their own executables with those switches — just look at Windows 10, the ‘most secure’ Windows…), and compile 7-Zip… And… the folks at Microsoft better shut up…

      1 user thanked author for this post.
    • #171829

      I really like 7-Zip, having used it reliably since XP days.

      Would using 7-Zip in a sandbox or VM allow you to check for any malware in the files being opened before moving them to your system? I really like the concept of Qubes OS, where your operating system is separate from the program running in it, and you can separate out the different programs, too. It doesn’t have the novice user friendliness of Windows or Linux Mint, but the idea of not letting programs run promiscuously with your OS really appeals to me for basic safety and security reasons.

      Do other products do the same thing, or have they incorporated fixes? I’d hate to move from one product that has been checked closely, to another product that looks better, because no one bothered to check it out yet.

       

       

      Non-techy Win 10 Pro and Linux Mint experimenter

      • #171834

        I find this interesting, but am not sure I understand the following:

        I really like the concept of Qubes OS, where your operating system is separate from the program running in it

        Does this mean those programs are not allowed to make system calls? Or is it something else?

        Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

        MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
        Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
        macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

        • #171842

          @OscarCP-

          As this is getting off topic of 7-Zip… may I refer you to ‘An Introduction to Qubes OS’: https://www.qubes-os.org/intro/

          I don’t have the technical answers… but the concept of running everything in separate compartments, but easily available on the desktop, appeals to me. I can put the programs I run in separate Qubes with individualized security settings. They utilize single use, disposible Qubes for opening attachments. Exactly how that is done is beyond me, but Qubes is showing up frequently in searches for the best security based Linux distros.

          It is one of the free and open source distros I am exploring prior to end of life for Win 7.  I’d be interested in a more detailed, techy take on this. This might be a subject to open in the Linux for Window Wonks forum.

          Non-techy Win 10 Pro and Linux Mint experimenter

          • #171858

            Thanks Elly. The link in your reply to my question makes things more clear: various types of applications run on their own and separate virtual machines (VMs), called “qubes”, and these run, in turn, on a Linux-type OS that does not talk to the outside world (except, I imagine, through the keyboard and mouse of the superuser), only the qube VMs do. This makes it, somehow, very hard to infect this submarine OS with malware that comes in from the Internet or some contaminated media in disks or USB memory sticks, etc. All that will go into some qube or qubes instead, where it can be contained by putting in quarantine the infected qube.

            This looks like something worthy of further discussion in one of the Linux streams at Woody’s, particularly for those of us looking for alternatives to Windows 7, when it reaches its end of life in less than two years from now.

            Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

            MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
            Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
            macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

            1 user thanked author for this post.
            • #171866

              @ OscarCP- That gives a pretty good description of how Qubes is set up… thank you, as it helped me visualize it better in my own mind.

              Non-techy Win 10 Pro and Linux Mint experimenter

      • #171860

        @Elly:

        The problem with 7Zip is that the encryption is not very strong. Therefore the danger is, if you email a sensitive document that has been encrypted by 7Zip, the encryption could be broken and the document read by a non-authorized person.

        Strong encryption would allow you to zip any document, encrypt it, and email it, without having to worry about anyone being able to read it.

        WinZip has strong encryption. I use it whenever I have to send a sensitive document. But based on this article, I won’t be using 7Zip.

        I like the idea behind Qubes – a separate, isolated sandbox for each OS you want to run; but I never could figure it out, so I finally uninstalled it.

        Jim

        Group "L" (Linux Mint)
        with Windows 8.1 running in a VM
        2 users thanked author for this post.
        • #171865

          Thank you for translating what those problematic processes actually do. I respect encryption, and believe in privacy, so that would be important for me.

          You have been experimenting with Linux, too… I have difficulty determining whether it is myself, or the OS that is lacking… and tend to blame myself. You are successful with Linux Mint, I think… and that gives me hope, to keep on experimenting.

          Non-techy Win 10 Pro and Linux Mint experimenter

          • #172042

            @Elly:

            Create yourself a Linux Live flash drive with persistent storage. I recommend that you choose Linux Mint xfce, and pick the 32-bit or 64-bit version, depending on how much memory you have. (4 GB — 32-bit; 8 or more GB – 64-bit).

            Then try it out for a while, to see what you think of it.

            You could do the same for Ubuntu and other Linux distros.

            Jim

            Group "L" (Linux Mint)
            with Windows 8.1 running in a VM
            1 user thanked author for this post.
        • #171914

          It does have some hardware requirements, check their information.

          Check also Qubes OS Tutorials by Switched to Linux on YouTube.

          1 user thanked author for this post.
        • #172168

          The 7z archive format requires strong AES-256 encryption.

          “There are actually two types of Zip file encryption. The older Zip 2.0 encryption is extremely insecure, while the newer AES encryption is fairly secure.”

          More here:

          https://www.howtogeek.com/203590/how-to-create-secure-encrypted-zip-or-7z-archives-on-any-operating-system/

          Windows 10 Pro 22H2

          2 users thanked author for this post.
        • #172174

          The problem with 7Zip is that the encryption is not very strong. Therefore the danger is, if you email a sensitive document that has been encrypted by 7Zip, the encryption could be broken and the document read by a non-authorized person.


          @MrJimPhelps
          , I’m afraid you’re somewhat misinformed. I use the latest non-beta version of 7-zip, 18.01, and the only option I have when I want to encrypt a file when adding it to an archive/zipping it up is AES 256. The old option of the ZipCrypto encryption algorithm is gone, at least for me on Win 7 x64 SP1.

      • #171917

        “Would using 7-Zip in a sandbox or VM allow you to check for any malware in the files being opened before moving them to your system?”

        There is a security benefit to using 7-Zip in a virtual machine instead of on your physical computer. The issue in this topic though is with purposely malformed archive files, not the file(s) contained within a given archive file.

    • #171833

      So, if this actually mattered, then, as per Woody, the same worries could be said to be justified with WinRAR. So, what about WinZip? Or gzip, for that matter? Or good old UNIX “compress”? Not sure about WinZip, but those other two don’t seem to be getting lots of updates of late.

      Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

      MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
      Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
      macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

      • #171882

        To answer your question one would need to ask the creators or maintainers of the program and optionally have a file analyzer tool to tell you about it.

    • #171838

      thank you for your post (i agree)

    • #171846

      I will not 🙂

      4 users thanked author for this post.
      • #171859

        Is this about my question on WinZip, gzip and compress?

        If so, what I was hoping for was some guidance. I am afraid these answers are a little too terse for me. If they are, indeed, for me. If not, am curious, what are they about?

        Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

        MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
        Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
        macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

    • #171910

      Woody’s post mentions Stefan Kanthak’s concern because 7-Zip installs (or at least can install) a Windows Explorer shell extension. Here is the reason that using a Windows Explorer shell extension that doesn’t use the appropriate security measures is bad news: Quickpost: “It Does No Harm…” or Does It?

      5 users thanked author for this post.
      • #172133

        There are two ways in which the presence of the 7-Zip shell extension can be a security concern:

        1. The presence of a non-ASLR DLL in whatever processes the 7-Zip shell extension DLL is used in (such as explorer.exe) means that 7-Zip code is available in predictable memory locations in those process(es), which can let an exploit use return-oriented programming gadgets.

        2. If there is a vulnerability in the 7-Zip shell extension DLL, then it might be possible that this vulnerable code could be triggered in Windows/File Explorer (or whatever other processes the 7-Zip shell extension DLL is used in) if a specially-crafted archive file is present without even opening it, in a manner similar to what is described here.

        1 user thanked author for this post.
    • #171912

      From Security-Risk: Avoid 7-Zip: “Let’s get to the beef of this article. The developer of this tool refuse to hardening its software against unknown security vulnerabilities. To harden software with respect to the exploitability of unknown vulnerabilities, developers can specify different options when linking modules to an executable binary file. This Microsoft document introduces two such options for improving application security. There are other techniques (like compiler options to check for buffer overflow in executable code) of this kind, some of which have been known for many years.”

      1 user thanked author for this post.
    • #171932

      I myself have never been quite clear on what the security problems are. I know that there are no known exploits, but what sort of exploit is theoretically possible?

      If the problem is merely the Explorer integration having possible security issues, then that can be turned off. You have to run the app as administrator, but you can uncheck the options. I have now done so, and I’ll see how convenient it is.

      I already only use 7-zip for non ZIP archives.

      • #171954

        The danger is that exploitation of 7-Zip code using a specially-crafted archive file could be easier because the 7-Zip developer isn’t using some anti-exploit features.

        1 user thanked author for this post.
    • #171946

      The solution seems simple and was proposed early on in the these comments about the issue. Someone who knows what they are doing needs to recompile the 7-zip source code with the necessary switches and see if the resulting executable is stable and functional. If so, release it to the public (with all the appropriate credit to the original author).  Igor will quickly see that most will choose the new version over the old if given a choice when downloading 7-zip.

       

      Most users do not compress files with a stopwatch in their hand and don’t really care about max speed over security and functionality – free, useful and reliable is all that most care about.

       

      With billions of internet users and millions using 7-zip including 3rd party vendors making use of 7-zip functionality, someone must have recompiled it by now…

       

       

       

      2 users thanked author for this post.
    • #171957

      “The core of the problem: Pavlov refuses to add ASLR (Address Space Layout Randomization) to the product, and won’t compile 7-Zip with the /GS Buffer Security Check flag.”

      Background info on ASLR: On the effectiveness of DEP and ASLR (2010).

    • #171963

      The 7-Zip developer commented at #1270 enable DEP and ASLR (this is a cached version since sourceforge seems to be having problems now).

    • #171964

      From Woody’s post:
      I’m not so concerned about individual, manual use, but the incorporation of 7-Zip binaries into other packages. An anonymous poster here on AskWoody came up with a long list of other packages that rely on 7-Zip, including WinRAR, Flash, and some .NET applications.

      I’m the “anonymous” who posted the said list of 3rd-party software that use standalone or embedded 7-zip libraries. It isn’t a comprehensive list (more an outline), but may perhaps provide an idea of how large the potential attack surface area could be.

      Before that, I also highlighted (31 Jan 2018) in the same forum thread that 7-zip v18.01 stable (29 Jan 2018) may not have included a fix for the ADSL security vulnerability, since the changelog makes no mention of it. (And neither does the latest v18.02 beta [03 Mar 2018] include the said fix.)

      At that time, nobody seemed to be talking about this issue. But I was/am curious to know about the possible impacts of leaving the ADSL vulnerability unfixed, & what precautions I can take wrt malformed archive files from external sources.

      Taking 7-zip as an example, its “extra” package (which contains the commandline EXE & DLL plugins) is offered as a 7z download. And 7-zip’s official website & downloads are strictly HTTP, which makes them susceptible to MitM compromises. Would scanning malformed archive files with malware scanner flag them as malicious ?

      Note: I’ve no IT training & can’t read source-code — much less compile a software. I’m just a daily end-user of 7-zip & numerous 3rd-party software that use 7-zip libraries.

      I also mentioned in the the aforementioned 7-zip thread that Landave (the security researcher who blogged about 7-zip’s vulnerabilities) did compile 7-zip with fixes for all the known security vulnerabilities in Jan 2018.

      And the resulting increase in binary size is apparently just 8-9 KB — contrary to 7-zip developer’s concern that doing so would bloat the binary.

      4 users thanked author for this post.
      • #171991

        Microsoft itself uses 7z to package .NET updates/releases, including the Offline Installer for all OSs, and rollup updates for Windows 7 and Vista

        1 user thanked author for this post.
    • #171966

      Noel Carboni said:
      My first thought on this is that maybe the author knows more about what he’s doing than the folks “pressuring” him to enable switches that may have downsides.

      MrJimPhelps said:
      whenever I read that the author of a program like 7/Zip refuses to include essential security features in his product, I wonder if he was told not to include these features.

      7-zip’s developer did explain why he does not want to fix the issues that make 7-zip less secure. That’s because years before Landave blogged about it, there were already users who noticed the same issues with 7-zip.

      Back in Mar 2012, there was a user request for ASLR (Address Space Layout Randomization) & DEP (Executable Space Protection) to be enabled in 7-zip.

      The developer’s response was:

      I suppose that problem is more complex than just compiler switch. No time for these things now. Maybe later I’ll look it. I still use old compiler for 32-bit version.

      And elsewhere on Twitterverse (13 May 2016):

      https://twitter.com/ericlaw/status/731178499424329728
      It’s important to upgrade 7zip to v16 to avoid security bugs. Get the unsigned, DLL hijackable installer via HTTP…

      and be aware that ASLR is disabled and 7-zip doesn’t work with SmartScreen/Windows security.

      More recently in Sep 2017, another 2 users raised the same request with 7-zip’s developer. His response is quoted as follows:

      It’s not BUG. It’s feature or missing of feature.

      7-Zip doesn’t use ASLR. Files are smaller so. ASLR is new feature. I use old [compilers] and linkers without ASLR support. I can compile with /FIXED:NO and patch for ASLR flag with another tool. But ASLR is just some additional level of protection. There is no big gain from it.

      DEP is good thing. But it’s [unclear] for me why there is 32-bit and 64-bit code difference.

      As for the “files are smaller so” remark, 7-zip with ASLR enabled is a mere 8-9 KB (kilobytes) larger — as I’d mentioned earlier on.

      3 users thanked author for this post.
    • #172006
    • #172007

      The conclusion from the author of an exploit of a 2016 7-Zip vulnerability: “Still lack of current standard mitigations in some products makes exploitation significantly easier.”

      1 user thanked author for this post.
    • #172018

      Can someone post easy instructions to install EMET on windows 7 and what settings to use for 7zip? It’s a little bit complicated for some people that never used it.

    • #172134

      Another security issue with 7-Zip is that it doesn’t use “mark of the web.”

    • #172213

      I actually find “mark of the web” especially annoying on zip files. I hate how Windows handles it, at least. It should just warn me when I unzip, not apply it to all the unzipped files. That can make programs not work if a DLL or necessary EXE gets marked. And then I have to manually go through and unmark them.

      This is not the case with an installer, which is, at its core, just a glorified archive. So I don’t see why it should apply to archives.

      Sure, I wouldn’t mind if 7Zip warned me before unarchiving, but I largely find the warning useless. I know I got the file from online. That’s why I put it in my Downloads folder. And, usually, I just finished downloading it.

      Smartscreen is at least a step in the right direction, only warning me if the file is not one that is recognized as safe. That’s actually a useful warning. Unfortunately, I use Windows 7, so I don’t get that feature. I just get the annoying popup I have to click through–or, worse, with ZIP files, I have to choose Open Download Folder, right click on Properties, and remove the checkbox so I can then unzip it and have a working program when I’m finished.

      I’ve actually had huge archives that took hours to unzip, and then just deleted the files and did it again over this mark-of-the-web thing. It’s easier than going through every single file.

      • #172471

        Smartscreen is at least a step in the right direction, only warning me if the file is not one that is recognized as safe. That’s actually a useful warning. Unfortunately, I use Windows 7, so I don’t get that feature.

        SmartScreen is a function within Internet Explorer, not Windows 7.  To bypass, see http://www.thewindowsclub.com/bypass-smartscreen-filter-ie-edge.

        Win 7 SP1 Home Premium 64-bit; Office 2010; Group B (SaS); Former 'Tech Weenie'
        • #172485

          My preferred way of verifying a downloaded/unzipped executable file is to check it with VirusTotal.

          There is a handy little free utility from Nirsoft, ‘HashMyFiles’, that has an option to ‘Enable Explorer Context Menu – Virus Total’.  That make VirusTotal a completely integrated solution from within Windows file explorer.

          Just right click on any file in Windows explorer and select ‘Open in VirusTotal Web Site’.  The file hash is transmitted to VirusTotal and your browser will be presented with the score from multiple AV engines if it is a previously submitted sample.  If the sample is new, you can upload the entire file for ananlysis as long as it is under 128MB.

          http://www.nirsoft.net/utils/hash_my_files.html

          Highly recommended!  🙂

          Windows 10 Pro 22H2

          1 user thanked author for this post.
    • #172217

      I did tests on a Windows 7 x64 virtual machine using 7-Zip v18.01 x64 and x86 and setdllcharacteristics v0.0.0.1. setdllcharacteristics results for 7-Zip v18.01 x64: https://pastebin.com/h3M2zaUm. setdllcharacteristics results for 7-Zip v18.01 x86: https://pastebin.com/4zfdqmyX. For all files, the DEP switch (NX_COMPAT) is set to 1; this is good news. For all .dll files, the ASLR switch (DYNAMIC_BASE) is set to 1; this is good news. For all .exe and .sfx files, the ASLR switch (DYNAMIC_BASE) is set to 0; this is bad news but not unexpected.

      I also did tests using 7-Zip v18.01 x64, Process Explorer v16.21 (DEP column in upper pane; ASLR and Base Address columns in lower pane), and EMET v5.52. See https://blog.didierstevens.com/2011/01/18/quickpost-checking-aslr/ and http://www.itprotoday.com/security/q-how-can-i-check-effect-windows-address-space-layout-randomization-aslr-feature-windows for more details.

      My conclusions:

      1. For the 7-Zip v18.01 x64 shell extension, ASLR for explorer.exe’s 7-zip.dll works according to Process Explorer (both the ASLR and Base Address columns); the Base Address field for explorer.exe’s 7-zip.dll changed from one boot to another boot. This is good news.

      2. For the 7-Zip v18.01 x86 shell extension, I didn’t test with Process Explorer, but the setdllcharacteristics results for 7-Zip v18.01 x86’s DLL files are encouraging.

      3. Using setdllcharacteristics to change the ASLR switch (DYNAMIC_BASE) of 7-Zip v18.01 x64 file manager (7zFM.exe) doesn’t have any security effect according to Process Explorer Base Address tests. This is not surprising per https://www.askwoody.com/forums/topic/is-it-time-to-give-up-on-7-zip/#post-171967. But if you want to try anyway, see one of the comments at http://www.dslreports.com/forum/r30754614-Flawed-7-Zip-compression-tool-opens-systems-to-hack-Update-it-now.

      4. EMET’s Mandatory ASLR mitigation doesn’t have any effect for the 7-Zip v18.01 x64 file manager (7zFM.exe) according to Process Explorer Base Address tests. This is not surprising per https://www.askwoody.com/forums/topic/is-it-time-to-give-up-on-7-zip/#post-171967. However, it’s still a good idea to use EMET for 7-Zip’s .exe files because of EMET’s other mitigations.

      5. DEP is on for the 7-Zip v18.01 x64 file manager (7zFM.exe) according to Process Explorer; this is good news but not unexpected because according to https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip/, “At least he will try to enable /NXCOMPAT for the next release.”

       

       

      2 users thanked author for this post.
    • #172271

      If there’s one think I really hate, it’s when people say things like “What year is it @7zip ?? You guys still running on 90’s hardware??”. This should not be an excuse for bloating a program. I did not buy a faster CPU and more RAM so that developers could get lazy and bloat their applications. I bought them to run the same stuff, and more of it. It’s this kind of thinking that leads to Software bloat and feature creep.

      That said, I still plan on using 7-zip. Nothing comes close to how efficient 7z is. Winrar is slow, and too much flash and bang, and Winzip is bloated. I do think he should enable those compiler switches, even if it adds a tiny bit of bloat, but hey, there’s tons of security holes I’m sure I’m open to these days since technology is all about shoveling in features instead of fixing problems.

      1 user thanked author for this post.
    • #172744

      “INSECURE shell extension is loaded into explorer.exe”  Probably need a bit more elaboration on that.  The 7Z DLL (7-zip.dll) contains a relocation table and is linked with dynamicbase, so ASLR should work.  Maybe there is something else wrong with it.

      It is the .exe files that has the relocation stripped, and not linked with dynamicbase.    I’ll give the developer credit though.  He knows the two go together.   I’ve seen some others with dynamicbase but no relocation table, like VLC.

      1 user thanked author for this post.
      • #172807

        Your statements are consistent with my test results in my previous comments.

        • #173855

          While your previous comments did rule out the ASLR aspect, it requires that we assume that some deficiency in the ASLR implementation was why the integration of 7-Zip into explorer.exe results in a problem, a conclusion I disagree with, and what you tested.

          I hate assumptions.   So, if the author of the critique had mentioned that the integration of 7-Zip into explorer resulted in inferior security of explorer because of the ASLR deficiency, well then I would have been satisfied (although I disagree with that conclusion).  That was certainly in the context of the review.   But, still, the way it was worded left open the possibility that something else in 7-Zip.dll creates a problem,  and if so, I would have liked to seen an elaboration of such other problem.

          EDIT html to text

    • #218092

      Did anyone check the Peazip binary if all 3 of these switches are enabled? I’m sticking with the built-in Windows10 zip functionality until I can find out. I’ll use a portable version of Peazip if I have to use one of these more powerful utilities until I can confirm it.

      Security should be the top priority for all software, because even if you do try your best – there’s always new vulnerabilities to be found. So if you’re not even trying to make security a priority…

    • #223992

      I apologize if this is way after the date this was published; but I have 7-Zip, however, I more frequently use WinRAR. I have a version which was registered to my old (out-of-service) Windows Vista computer.

      I downloaded the V4 version of WinRAR onto my new(er) computer running Windows 7 x64, and, as a try, input the registration code from the Vista version.

      Hoky smokes, Bullwinkle. It took it.

      [EDITED – pls refer to Lounge Rules] I have a version of 7-Zip, but for my purposes, are more attuned to using WinRAR.

      Some of the semi-anonymous uploaders I utilize will not accept a .7z file – but will accept a .rar file. So that is the file compression scheme I prefer.

      Important links you can use, without the monetization pitch = https://pqrs-ltd.xyz/bookmark4.html
    Viewing 32 reply threads
    Reply To: Is it time to give up on 7-Zip?

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: