I’ve been a 7-Zip for for, like, forever. That’s why it pains me to report that several people — people who know what they’re doing — are taking 7-Z
[See the full post at: Is it time to give up on 7-Zip?]
![]() |
There are isolated problems with current patches, but they are well-known and documented on this site. |
SIGN IN | Not a member? | REGISTER | PLUS MEMBERSHIP |
-
Is it time to give up on 7-Zip?
Home » Forums » Newsletter and Homepage topics » Is it time to give up on 7-Zip?
- This topic has 97 replies, 25 voices, and was last updated 4 years, 7 months ago.
AuthorTopicViewing 32 reply threadsAuthorReplies-
MrJimPhelps
AskWoody MVPI don’t mean to be conspiratorial, but whenever I read that the author of a program like 7/Zip refuses to include essential security features in his product, I wonder if he was told not to include these features.
I have discussed this issue with Igor Pavlov and tried to convince him to enable all three flags. However, he refused to enable /DYNAMICBASE [the ASLR flag] because he prefers to ship the binaries without relocation table to achieve a minimal binary size. Moreover, he doesn’t want to enable /GS, because it could affect the runtime as well as the binary size.
From what I have heard many times, the US government (specifically the NSA) pressures companies to include back doors in their products.
Group "L" (Linux Mint)
with Windows 8.1 running in a VM -
ch100
AskWoody_MVPHe he, there are always other interested organizations in this sort of stuff, not only NSA.
The issue with the backdoors is that sooner or later, all those interested will find out and use those backdoors, not only the original sponsor. Sometimes even “script kiddies” take advantage when the backdoors are made public and the systems do not keep up with patching.
While it is not clear if those backdoors are allowed on purpose in the first place, based on current information it is safe to assume so.5 users thanked author for this post.
JNP
AskWoody LoungerIf not 7-Zip, then what other program that does what 7-Zip does AND doesn’t contain the security holes about which you are concerned? (Redundant of post entered before logging in and tagged as anonymous.)
2 users thanked author for this post.
-
rc primak
AskWoody_MVPFrom what I’ve read, 7-ZIP would not need to be replaced. It’s open-source, so anyone can recompile the source code with the added security. And EMET or Windows Exploit Protection may be able to provide sufficient protections if you are running the most up to date versions of 7-ZIP. In Linux, there’s AppArmor, which may be able to add similar protections to PeaZIP (which is based on the 7-ZIP binaries). I am not a security or coding expert, but it seems a fix could be developed and released as a derivative or fork of 7-ZIP. I doubt the author of 7-ZIP would object, as long as he gets due credit.
-- rc primak
-
MrJimPhelps
AskWoody MVPHow many regular users will know how to recompile the source code with the added security? How many will even think about these issues? The “regular folks”, who aren’t even aware of these issues, let alone capable of addressing them, are the ones I am concerned about.
Group "L" (Linux Mint)
with Windows 8.1 running in a VM1 user thanked author for this post.
-
Ascaris
AskWoody MVPRegular folks would not be aware of the need, or even know what it means to compile something… but if that’s really all it takes, someone out there could take the open-source code and simply compile it with the new compiler directives, and make that compiled product available to the public.
It’s kind of how I believe Waterfox got started… years ago, Mozilla did not offer any official 64-bit builds of Firefox for Windows, so MrAlex94 began to build the Firefox source into 64-bit binaries, so that end users who don’t have the resources or desire to compile it themselves can still benefit. I’m not sure what Mozilla’s reasoning was; they already offered 64-bit versions for Mac and Linux, and from the first moment I tried Waterfox (which only existed in 64-bit form) in Windows, it was more stable than 32-bit Firefox by far.
Now that Mozilla offers 64-bit Windows binaries, the focus of Waterfox has shifted, but in the beginning, it was all about it being compiled differently. The same could apply to 7-Zip, if there is any real demand for it.
Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
XPG Xenia 15, i7-9750H/16GB & GTX1660ti, KDE Neon
Acer Swift Go 14, i5-1335U/16GB, KDE Neon1 user thanked author for this post.
-
lurks about
AskWoody LoungerRegular users are more vulnerable because they are likely to search on ‘7-zip’ and download the first search return. This is likely to be 7-Zip and not a derivative. Technically adept users aware of the problem are likely to seek an alternative. As Ascaris noted, someone else could take on the chore of making the necessary changes and compilation and release it to the public so hopefully very few would ever actually do the compilation on any OS.
-
-
woody
ManagerSo I asked Stefan if he had a good alternative to 7-Zip, and this is what he said:
Windows (since ’95) NATIVE archive format .CAB: without delta compression it compresses almost as good as .7z, and with delta compression it performs BETTER than .7z.
Additionally .CAB archives can be digitally (authenticode) signed, which no other format offers (except .ZIP when used for OOXML or OpenXML format files), and both Windows’ SetupAPI and Windows, er, Microsoft Installer as well as the “component based servicing” can process their contents without unpacking the whole archive.
Unfortunately Microsoft does not offer to create .CAB archives in Windows Explorer; users need to call MAKECAB.exe on the command line or use IEXPRESS.exe.
So: .CAB for incoming files, especially installer packages (.MSU are .CAB archives, they just have another extension; .MSI and .MSP contain their payload as .CAB archives, as well as the self-extracting installers provided by Microsoft), and .ZIP for outgoing archives.
Developers and vendors should ALWAYS use and support the NATIVE archive format of the target OS, they should NEVER force their users/customers to install additional software to access or use files they distribute.
The arguments from https://skanthak.homepage.t-online.de/!execute.html apply here too: ALWAYS use the NATIVE format of the target OS, NEVER expect or force your users to jump through loops to access or use what you distribute. People who send/distribute .7z, .RAR, .ARJ or other “strange” formats to Windows users don’t want them to use what they provide.
That’s basically the KISS principle: keep it simple for your users, SAVE them from all possible hassle and additional vulnerabilities, be it “strange” archive formats or executable installers/self-extractors, which are almost always vulnerable, and seduce people to EXECUTE anything they get.
What do you think?
-
anonymous
GuestBefore there were CABinet files for general public use, ZIP files became the standard for DOS (ACE, ZOO, ARJ & and a few others were competition). Many more people may know how create and extract the .ZIP file extension contents so it is better to use that for most cases if you do not wish to explain yourself. 🙂
The ability to sign a .CAB file, an advantage if the distributor of the package is honest.
-
anonymous
Guest -
Jan K.
AskWoody Lounger -
anonymous
GuestWhat Stefan would want you to do is use Microsoft’s native CABinet archive file format with Windows. Stefan is blind to the fact the IExpress utility & makecab programs aren’t widely known by most people to make a .CAB archive. There maybe too few to none other than Microsoft’s programs that can could make one. CAB files are still mostly a Microsoft internal use product.
Microsoft were wise to add .ZIP capabilities to explorer in part because of its ubiquity, it has been widely known since approximately the latter half of the 1980s. So you can ignore the advice for Windows. For GNU/Linux, Unix he generally right because many files are TARed & GZipped for distribution.
Did this clarify or create befuddlement in your brain?
1 user thanked author for this post.
-
MrJimPhelps
AskWoody MVPEncryption is one of the two issues here, that is, the ability to encrypt a document so as to prevent unauthorized people from reading it, because the author chose not to include the more secure encryption in 7Zip.
The other issue is the ability of someone to tamper with your zipped document.
WinZip has excellent encryption. So using WinZip would address both of these concerns.
Group "L" (Linux Mint)
with Windows 8.1 running in a VM-
JohnW
AskWoody PlusThe 7-Zip author has added the stronger AES-256 encryption as an archive option for the .zip format. ZipCrypto is the default, but if you choose the dropdown menu selector for ‘encryption method’, you will see that both choices are available.
AES-256 is the only encryption method choice for the .7z format.
Windows 10 Pro 22H2
-
MrJimPhelps
AskWoody MVPIn the original post, Woody put the following quote:
I have discussed this issue with Igor Pavlov and tried to convince him to enable all three flags. However, he refused to enable /DYNAMICBASE [the ASLR flag] because he prefers to ship the binaries without relocation table to achieve a minimal binary size. Moreover, he doesn’t want to enable /GS, because it could affect the runtime as well as the binary size.
Are you saying that these are not valid security concerns?
Group "L" (Linux Mint)
with Windows 8.1 running in a VM -
JohnW
AskWoody Plus
-
Noel Carboni
AskWoody_MVPIn their ivory towers, experts may have opinions, but the fact is that tools such as 7-zip that open a large variety of formats are needed because the OS simply doesn’t provide native support for all the formats.
Ever download a .tar.gz file from, say, an open source library site? It’s in that format because (surprise) the world doesn’t revolve around Microsoft. I assume the answer will be yes as it is for so many of us. If so, what did you use to open it?
And regarding “native” support for .CAB… The underlying SDK APIs to access CAB files were already outdated at the turn of the millenium. Now they’re positively ancient. I know because we’ve coded software to create .CAB files to contain submitted error reports recently.
I have to ask: Are a lot of people being infected by 7-zip? “Theoretical” vulnerabilities do serve to help people improve products, but is 7-zip really proving worthy of such worry?
-Noel
abbodi86
AskWoody_MVPDelta compression cab or better known as Intra Package Delta is an exclusive for Microsoft updates, it’s not available in Windows and no one can create it but them
as i pointed, even Microsoft uses 7z library to pack .NET executable updates
rc primak
AskWoody_MVP7Zip exploit protection settings recommendation
https://malwaretips.com/threads/7zip-exploit-protection-settings-recommendation.76887/
(etc) …
That was me, in the below Anonymous Posting (#171747)
— rc primak —
-- rc primak
-
anonymous
Guest -
MrBrian
AskWoody_MVPComment from landave: “While mandatory ASLR is a nice feature (and will be supported by Windows 10 even without EMET), it will not work for binaries with stripped relocation table. Igor seems to do exactly this to reduce the size of the binary.
Also, EMET cannot give you stack canaries if the binary is not compiled with /GS.”
3 users thanked author for this post.
RC Primak
Guest7Zip exploit protection settings recommendation
https://malwaretips.com/threads/7zip-exploit-protection-settings-recommendation.76887/
So, with either EMET or Exploit Guard, MS Windows can be configured to make 7-ZIP adhere to the recommended security protocols. So what’s the flap about?
In Linux, AppArmor can provide similar protection to PeaZip, which is based on 7-ZIP’s binaries.
Or you can go out, get the binary’s source code, add ASLR and other security .dll’s (or whatever Linux uses), and recompile your own secure version of 7-ZIP and PeaZIP. And if anyone does this, hopefully they will share the resulting package with the rest of us.
-
Morty
AskWoody Lounger
anonymous
GuestThankfully it is open and people with knowledge can recompile it to their liking. 7-zip compression is used in software deployment, hopefully the software engineers will see have this and do what is necessary to make it a little more secure.
Their are not many software solutions that can compress like 7-zip. 🙁
1 user thanked author for this post.
-
anonymous
Guest -
Cybertooth
AskWoody PlusThe power went out at my office just about the time that you posted with “their”. Does that count? 😉
1 user thanked author for this post.
-
_Reassigned Account
AskWoody Lounger7 Zip wow haven’t used that in a while. I remember it being included in some HP PC if I am not mistaken. These days I just use the built in unzipper in Windows 10 for what I need. Its not unfamiliar to me though, plenty of PC’s I work on still have it installed.
1 user thanked author for this post.
-
Noel Carboni
AskWoody_MVPThese days I just use the built in unzipper in Windows 10 for what I need.
I know what you mean; for ad hoc compression and decompression of .zip files I often do the same.
But it’s really just another case where a convenient, mediocre solution eclipses an elegant one.
I’m reminded of the scene in the film “Contact”, where the “Bill Gates” like character H. R. Hadden is explaining to Dr. Eleanor Arroway that the alien culture is highly advanced, which of course means “efficient functioning on multiple levels”.
How is anything that’s actually happening in our real world taking us toward that ideal?
-Noel
-
anonymous
Guest -
anonymous
Guest
-
-
BobbyB
AskWoody Lounger@jescott418 yep same here The only piece of crudware that came to me with a brand new HP machine that I ever liked or kept, OS excepted.
What’s not to like about 7zip its fast, its a one stop deal for me with zip handling, if 7zip cant do it then its probably not worth doing. The only limitations with it I can see is it doesent go and get me a cold Beer out the fridge and brew a nice cup of tea, maybe later versions eh Igor?anonymous
GuestThat just sucks. I use 7-zip to compress things into RAR and 7z files (For ZIP files, File Explorer does the job just fine), and I shun other programs like WinZIP and WinRAR because why have a zillion programs to do the same thing when one can do it all (without ads and without the annoying trial period popup in WinRAR)?
I guess the other awesome thing about 7-Zip is that it’s open source, but that doesn’t mean an awful lot to non-programming experts like me, other than the reassurance that the code lives on when the coder moves on.
ch100
AskWoody_MVPWhile I appreciate the news in the first place, I think that there is an over-reaction here. There are enterprise products which still do not implement ASLR or recommend disabling it for performance reasons, so targeting 7-zip here is unfair at least. There are boundaries to what is and what is not a critical security issue. And the fact that a Microsoft rep recommends implementing Microsoft security technologies built-in Windows is not something new. It is certainly preferable to have those technologies in place, but the lack of them does not inherently make a product insecure.
Noel Carboni
AskWoody_MVPMy first thought on this is that maybe the author knows more about what he’s doing than the folks “pressuring” him to enable switches that may have downsides.
Imagine, for example, a compile/link switch that makes the code measurably less efficient, but does not really provide any substantial benefit when considering how the product actually works. Who would want such a switch thrown? Those who would benefit from selling people new hardware?
It is my considered opinion that computer security, as discussed by the public, is more marketing and hype than substance.
-Noel
MrJimPhelps
AskWoody MVP-
Charlie
AskWoody PlusSo glad to see someone finally mention Winzip. I’ve used Winzip for decades myself with no problems, and it is compatible with most other compression programs, Windows included. It’s not free, but you can still use it after the trial period.
Experience is that marvelous thing that enables you recognize a mistake as soon as you make it again.
anonymous
GuestAnyone caught by the ridiculous security hysteria spread by utterly useless zealots and talking-heads should download the 7-Zip source code, fix all security bugs, if any, apply the ‘security’ compiler switches recommended by Microsoft (even if Microsoft does not compile quite a number of their own executables with those switches — just look at Windows 10, the ‘most secure’ Windows…), and compile 7-Zip… And… the folks at Microsoft better shut up…
1 user thanked author for this post.
Elly
AskWoody MVPI really like 7-Zip, having used it reliably since XP days.
Would using 7-Zip in a sandbox or VM allow you to check for any malware in the files being opened before moving them to your system? I really like the concept of Qubes OS, where your operating system is separate from the program running in it, and you can separate out the different programs, too. It doesn’t have the novice user friendliness of Windows or Linux Mint, but the idea of not letting programs run promiscuously with your OS really appeals to me for basic safety and security reasons.
Do other products do the same thing, or have they incorporated fixes? I’d hate to move from one product that has been checked closely, to another product that looks better, because no one bothered to check it out yet.
Non-techy Win 10 Pro and Linux Mint experimenter
-
OscarCP
MemberI find this interesting, but am not sure I understand the following:
“I really like the concept of Qubes OS, where your operating system is separate from the program running in it”
Does this mean those programs are not allowed to make system calls? Or is it something else?
Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).
MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV -
Elly
AskWoody MVP@OscarCP-
As this is getting off topic of 7-Zip… may I refer you to ‘An Introduction to Qubes OS’: https://www.qubes-os.org/intro/
I don’t have the technical answers… but the concept of running everything in separate compartments, but easily available on the desktop, appeals to me. I can put the programs I run in separate Qubes with individualized security settings. They utilize single use, disposible Qubes for opening attachments. Exactly how that is done is beyond me, but Qubes is showing up frequently in searches for the best security based Linux distros.
It is one of the free and open source distros I am exploring prior to end of life for Win 7. I’d be interested in a more detailed, techy take on this. This might be a subject to open in the Linux for Window Wonks forum.
Non-techy Win 10 Pro and Linux Mint experimenter
-
OscarCP
MemberThanks Elly. The link in your reply to my question makes things more clear: various types of applications run on their own and separate virtual machines (VMs), called “qubes”, and these run, in turn, on a Linux-type OS that does not talk to the outside world (except, I imagine, through the keyboard and mouse of the superuser), only the qube VMs do. This makes it, somehow, very hard to infect this submarine OS with malware that comes in from the Internet or some contaminated media in disks or USB memory sticks, etc. All that will go into some qube or qubes instead, where it can be contained by putting in quarantine the infected qube.
This looks like something worthy of further discussion in one of the Linux streams at Woody’s, particularly for those of us looking for alternatives to Windows 7, when it reaches its end of life in less than two years from now.
Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).
MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV1 user thanked author for this post.
-
Elly
AskWoody MVP
-
-
-
MrJimPhelps
AskWoody MVPThe problem with 7Zip is that the encryption is not very strong. Therefore the danger is, if you email a sensitive document that has been encrypted by 7Zip, the encryption could be broken and the document read by a non-authorized person.
Strong encryption would allow you to zip any document, encrypt it, and email it, without having to worry about anyone being able to read it.
WinZip has strong encryption. I use it whenever I have to send a sensitive document. But based on this article, I won’t be using 7Zip.
I like the idea behind Qubes – a separate, isolated sandbox for each OS you want to run; but I never could figure it out, so I finally uninstalled it.
Jim
Group "L" (Linux Mint)
with Windows 8.1 running in a VM-
Elly
AskWoody MVPThank you for translating what those problematic processes actually do. I respect encryption, and believe in privacy, so that would be important for me.
You have been experimenting with Linux, too… I have difficulty determining whether it is myself, or the OS that is lacking… and tend to blame myself. You are successful with Linux Mint, I think… and that gives me hope, to keep on experimenting.
Non-techy Win 10 Pro and Linux Mint experimenter
-
MrJimPhelps
AskWoody MVPCreate yourself a Linux Live flash drive with persistent storage. I recommend that you choose Linux Mint xfce, and pick the 32-bit or 64-bit version, depending on how much memory you have. (4 GB — 32-bit; 8 or more GB – 64-bit).
Then try it out for a while, to see what you think of it.
You could do the same for Ubuntu and other Linux distros.
Jim
Group "L" (Linux Mint)
with Windows 8.1 running in a VM1 user thanked author for this post.
-
anonymous
GuestJohnW
AskWoody PlusThe 7z archive format requires strong AES-256 encryption.
“There are actually two types of Zip file encryption. The older Zip 2.0 encryption is extremely insecure, while the newer AES encryption is fairly secure.”
More here:
Windows 10 Pro 22H2
anonymous
GuestThe problem with 7Zip is that the encryption is not very strong. Therefore the danger is, if you email a sensitive document that has been encrypted by 7Zip, the encryption could be broken and the document read by a non-authorized person.
@MrJimPhelps, I’m afraid you’re somewhat misinformed. I use the latest non-beta version of 7-zip, 18.01, and the only option I have when I want to encrypt a file when adding it to an archive/zipping it up is AES 256. The old option of the ZipCrypto encryption algorithm is gone, at least for me on Win 7 x64 SP1.MrBrian
AskWoody_MVP“Would using 7-Zip in a sandbox or VM allow you to check for any malware in the files being opened before moving them to your system?”
There is a security benefit to using 7-Zip in a virtual machine instead of on your physical computer. The issue in this topic though is with purposely malformed archive files, not the file(s) contained within a given archive file.
OscarCP
MemberSo, if this actually mattered, then, as per Woody, the same worries could be said to be justified with WinRAR. So, what about WinZip? Or gzip, for that matter? Or good old UNIX “compress”? Not sure about WinZip, but those other two don’t seem to be getting lots of updates of late.
Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).
MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV-
anonymous
Guest
anonymous
Guestabbodi86
AskWoody_MVP-
OscarCP
MemberIs this about my question on WinZip, gzip and compress?
If so, what I was hoping for was some guidance. I am afraid these answers are a little too terse for me. If they are, indeed, for me. If not, am curious, what are they about?
Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).
MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV -
Cascadian
AskWoody Lounger
-
MrBrian
AskWoody_MVPWoody’s post mentions Stefan Kanthak’s concern because 7-Zip installs (or at least can install) a Windows Explorer shell extension. Here is the reason that using a Windows Explorer shell extension that doesn’t use the appropriate security measures is bad news: Quickpost: “It Does No Harm…” or Does It?
5 users thanked author for this post.
-
MrBrian
AskWoody_MVPThere are two ways in which the presence of the 7-Zip shell extension can be a security concern:
1. The presence of a non-ASLR DLL in whatever processes the 7-Zip shell extension DLL is used in (such as explorer.exe) means that 7-Zip code is available in predictable memory locations in those process(es), which can let an exploit use return-oriented programming gadgets.
2. If there is a vulnerability in the 7-Zip shell extension DLL, then it might be possible that this vulnerable code could be triggered in Windows/File Explorer (or whatever other processes the 7-Zip shell extension DLL is used in) if a specially-crafted archive file is present without even opening it, in a manner similar to what is described here.
1 user thanked author for this post.
MrBrian
AskWoody_MVPFrom Security-Risk: Avoid 7-Zip: “Let’s get to the beef of this article. The developer of this tool refuse to hardening its software against unknown security vulnerabilities. To harden software with respect to the exploitability of unknown vulnerabilities, developers can specify different options when linking modules to an executable binary file. This Microsoft document introduces two such options for improving application security. There are other techniques (like compiler options to check for buffer overflow in executable code) of this kind, some of which have been known for many years.”
1 user thanked author for this post.
-
anonymous
Guest -
MrBrian
AskWoody_MVPGood catch :). From https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip/: “The 7-Zip binaries for Windows are shipped with neither the /NXCOMPAT nor the /DYNAMICBASE flags. This means effectively that 7-Zip runs without ASLR on all Windows systems, and DEP is only enabled on Windows x64 or on Windows 10 x86.”
-
anonymous
GuestI myself have never been quite clear on what the security problems are. I know that there are no known exploits, but what sort of exploit is theoretically possible?
If the problem is merely the Explorer integration having possible security issues, then that can be turned off. You have to run the app as administrator, but you can uncheck the options. I have now done so, and I’ll see how convenient it is.
I already only use 7-zip for non ZIP archives.
-
MrBrian
AskWoody_MVP
dph853
AskWoody PlusThe solution seems simple and was proposed early on in the these comments about the issue. Someone who knows what they are doing needs to recompile the 7-zip source code with the necessary switches and see if the resulting executable is stable and functional. If so, release it to the public (with all the appropriate credit to the original author). Igor will quickly see that most will choose the new version over the old if given a choice when downloading 7-zip.
Most users do not compress files with a stopwatch in their hand and don’t really care about max speed over security and functionality – free, useful and reliable is all that most care about.
With billions of internet users and millions using 7-zip including 3rd party vendors making use of 7-zip functionality, someone must have recompiled it by now…
MrBrian
AskWoody_MVP“The core of the problem: Pavlov refuses to add ASLR (Address Space Layout Randomization) to the product, and won’t compile 7-Zip with the /GS Buffer Security Check flag.”
Background info on ASLR: On the effectiveness of DEP and ASLR (2010).
-
MrBrian
AskWoody_MVP -
MrBrian
AskWoody_MVPThe state-of-the-art in exploitation development has moved on since that 2013 article. See ROP is Dying and Your Exploit Mitigations are on Life Support (July 2016); that link has some vendor-specific info but the more general info included is good.
-
JohnW
AskWoody PlusThe code and memory mitigations of HitmanPro.Alert are available on a per application basis, and include hardware assisted Control-Flow Integrity on supported CPUs.
Windows 10 Pro 22H2
1 user thanked author for this post.
-
-
MrBrian
AskWoody_MVPanonymous
GuestFrom Woody’s post:
I’m not so concerned about individual, manual use, but the incorporation of 7-Zip binaries into other packages. An anonymous poster here on AskWoody came up with a long list of other packages that rely on 7-Zip, including WinRAR, Flash, and some .NET applications.I’m the “anonymous” who posted the said list of 3rd-party software that use standalone or embedded 7-zip libraries. It isn’t a comprehensive list (more an outline), but may perhaps provide an idea of how large the potential attack surface area could be.
Before that, I also highlighted (31 Jan 2018) in the same forum thread that 7-zip v18.01 stable (29 Jan 2018) may not have included a fix for the ADSL security vulnerability, since the changelog makes no mention of it. (And neither does the latest v18.02 beta [03 Mar 2018] include the said fix.)
At that time, nobody seemed to be talking about this issue. But I was/am curious to know about the possible impacts of leaving the ADSL vulnerability unfixed, & what precautions I can take wrt malformed archive files from external sources.
Taking 7-zip as an example, its “extra” package (which contains the commandline EXE & DLL plugins) is offered as a 7z download. And 7-zip’s official website & downloads are strictly HTTP, which makes them susceptible to MitM compromises. Would scanning malformed archive files with malware scanner flag them as malicious ?
Note: I’ve no IT training & can’t read source-code — much less compile a software. I’m just a daily end-user of 7-zip & numerous 3rd-party software that use 7-zip libraries.
I also mentioned in the the aforementioned 7-zip thread that Landave (the security researcher who blogged about 7-zip’s vulnerabilities) did compile 7-zip with fixes for all the known security vulnerabilities in Jan 2018.
And the resulting increase in binary size is apparently just 8-9 KB — contrary to 7-zip developer’s concern that doing so would bloat the binary.
-
abbodi86
AskWoody_MVP
anonymous
GuestNoel Carboni said:
My first thought on this is that maybe the author knows more about what he’s doing than the folks “pressuring” him to enable switches that may have downsides.MrJimPhelps said:
whenever I read that the author of a program like 7/Zip refuses to include essential security features in his product, I wonder if he was told not to include these features.7-zip’s developer did explain why he does not want to fix the issues that make 7-zip less secure. That’s because years before Landave blogged about it, there were already users who noticed the same issues with 7-zip.
Back in Mar 2012, there was a user request for ASLR (Address Space Layout Randomization) & DEP (Executable Space Protection) to be enabled in 7-zip.
The developer’s response was:
I suppose that problem is more complex than just compiler switch. No time for these things now. Maybe later I’ll look it. I still use old compiler for 32-bit version.
And elsewhere on Twitterverse (13 May 2016):
https://twitter.com/ericlaw/status/731178499424329728
It’s important to upgrade 7zip to v16 to avoid security bugs. Get the unsigned, DLL hijackable installer via HTTP…and be aware that ASLR is disabled and 7-zip doesn’t work with SmartScreen/Windows security.
More recently in Sep 2017, another 2 users raised the same request with 7-zip’s developer. His response is quoted as follows:
It’s not BUG. It’s feature or missing of feature.
7-Zip doesn’t use ASLR. Files are smaller so. ASLR is new feature. I use old [compilers] and linkers without ASLR support. I can compile with /FIXED:NO and patch for ASLR flag with another tool. But ASLR is just some additional level of protection. There is no big gain from it.
DEP is good thing. But it’s [unclear] for me why there is 32-bit and 64-bit code difference.
As for the “files are smaller so” remark, 7-zip with ASLR enabled is a mere 8-9 KB (kilobytes) larger — as I’d mentioned earlier on.
MrBrian
AskWoody_MVPMrBrian
AskWoody_MVPanonymous
Guest-
MrBrian
AskWoody_MVPThe included “Popular Software.xml” template includes 7-Zip; see http://www.windowsmanagementexperts.com/emet-enhanced-mitigation-experience-toolkit/emet-enhanced-mitigation-experience-toolkit.htm for more details. If you choose not to use that template, then see EMET mitigations guidelines.
Since 7-Zip can install a shell extension, you may also wish to consider using EMET on whatever processes the 7-Zip shell extension DLL is used in.
1 user thanked author for this post.
-
anonymous
Guest -
MrBrian
AskWoody_MVP
-
-
-
JohnW
AskWoody Plus -
Noel Carboni
AskWoody_MVP
-
MrBrian
AskWoody_MVPanonymous
GuestI actually find “mark of the web” especially annoying on zip files. I hate how Windows handles it, at least. It should just warn me when I unzip, not apply it to all the unzipped files. That can make programs not work if a DLL or necessary EXE gets marked. And then I have to manually go through and unmark them.
This is not the case with an installer, which is, at its core, just a glorified archive. So I don’t see why it should apply to archives.
Sure, I wouldn’t mind if 7Zip warned me before unarchiving, but I largely find the warning useless. I know I got the file from online. That’s why I put it in my Downloads folder. And, usually, I just finished downloading it.
Smartscreen is at least a step in the right direction, only warning me if the file is not one that is recognized as safe. That’s actually a useful warning. Unfortunately, I use Windows 7, so I don’t get that feature. I just get the annoying popup I have to click through–or, worse, with ZIP files, I have to choose Open Download Folder, right click on Properties, and remove the checkbox so I can then unzip it and have a working program when I’m finished.
I’ve actually had huge archives that took hours to unzip, and then just deleted the files and did it again over this mark-of-the-web thing. It’s easier than going through every single file.
-
SueW
AskWoody PlusSmartscreen is at least a step in the right direction, only warning me if the file is not one that is recognized as safe. That’s actually a useful warning. Unfortunately, I use Windows 7, so I don’t get that feature.
SmartScreen is a function within Internet Explorer, not Windows 7. To bypass, see http://www.thewindowsclub.com/bypass-smartscreen-filter-ie-edge.
Win 7 SP1 Home Premium 64-bit; Office 2010; Group B (SaS); Former 'Tech Weenie' -
JohnW
AskWoody PlusMy preferred way of verifying a downloaded/unzipped executable file is to check it with VirusTotal.
There is a handy little free utility from Nirsoft, ‘HashMyFiles’, that has an option to ‘Enable Explorer Context Menu – Virus Total’. That make VirusTotal a completely integrated solution from within Windows file explorer.
Just right click on any file in Windows explorer and select ‘Open in VirusTotal Web Site’. The file hash is transmitted to VirusTotal and your browser will be presented with the score from multiple AV engines if it is a previously submitted sample. If the sample is new, you can upload the entire file for ananlysis as long as it is under 128MB.
http://www.nirsoft.net/utils/hash_my_files.html
Highly recommended! 🙂
Windows 10 Pro 22H2
1 user thanked author for this post.
-
MrBrian
AskWoody_MVPI did tests on a Windows 7 x64 virtual machine using 7-Zip v18.01 x64 and x86 and setdllcharacteristics v0.0.0.1. setdllcharacteristics results for 7-Zip v18.01 x64: https://pastebin.com/h3M2zaUm. setdllcharacteristics results for 7-Zip v18.01 x86: https://pastebin.com/4zfdqmyX. For all files, the DEP switch (NX_COMPAT) is set to 1; this is good news. For all .dll files, the ASLR switch (DYNAMIC_BASE) is set to 1; this is good news. For all .exe and .sfx files, the ASLR switch (DYNAMIC_BASE) is set to 0; this is bad news but not unexpected.
I also did tests using 7-Zip v18.01 x64, Process Explorer v16.21 (DEP column in upper pane; ASLR and Base Address columns in lower pane), and EMET v5.52. See https://blog.didierstevens.com/2011/01/18/quickpost-checking-aslr/ and http://www.itprotoday.com/security/q-how-can-i-check-effect-windows-address-space-layout-randomization-aslr-feature-windows for more details.
My conclusions:
1. For the 7-Zip v18.01 x64 shell extension, ASLR for explorer.exe’s 7-zip.dll works according to Process Explorer (both the ASLR and Base Address columns); the Base Address field for explorer.exe’s 7-zip.dll changed from one boot to another boot. This is good news.
2. For the 7-Zip v18.01 x86 shell extension, I didn’t test with Process Explorer, but the setdllcharacteristics results for 7-Zip v18.01 x86’s DLL files are encouraging.
3. Using setdllcharacteristics to change the ASLR switch (DYNAMIC_BASE) of 7-Zip v18.01 x64 file manager (7zFM.exe) doesn’t have any security effect according to Process Explorer Base Address tests. This is not surprising per https://www.askwoody.com/forums/topic/is-it-time-to-give-up-on-7-zip/#post-171967. But if you want to try anyway, see one of the comments at http://www.dslreports.com/forum/r30754614-Flawed-7-Zip-compression-tool-opens-systems-to-hack-Update-it-now.
4. EMET’s Mandatory ASLR mitigation doesn’t have any effect for the 7-Zip v18.01 x64 file manager (7zFM.exe) according to Process Explorer Base Address tests. This is not surprising per https://www.askwoody.com/forums/topic/is-it-time-to-give-up-on-7-zip/#post-171967. However, it’s still a good idea to use EMET for 7-Zip’s .exe files because of EMET’s other mitigations.
5. DEP is on for the 7-Zip v18.01 x64 file manager (7zFM.exe) according to Process Explorer; this is good news but not unexpected because according to https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip/, “At least he will try to enable /NXCOMPAT for the next release.”
-
MrBrian
AskWoody_MVP -
MrBrian
AskWoody_MVP7. The presence of the 7-Zip v18.01 shell extension (at least for the x64 version) is not as much of a security risk as I thought prior to today’s tests because issue #1 at https://www.askwoody.com/forums/topic/is-it-time-to-give-up-on-7-zip/#post-172133 shouldn’t actually be an issue (see conclusions #1 and #2).
-
MrBrian
AskWoody_MVP
anonymous
GuestIf there’s one think I really hate, it’s when people say things like “What year is it @7zip ?? You guys still running on 90’s hardware??”. This should not be an excuse for bloating a program. I did not buy a faster CPU and more RAM so that developers could get lazy and bloat their applications. I bought them to run the same stuff, and more of it. It’s this kind of thinking that leads to Software bloat and feature creep.
That said, I still plan on using 7-zip. Nothing comes close to how efficient 7z is. Winrar is slow, and too much flash and bang, and Winzip is bloated. I do think he should enable those compiler switches, even if it adds a tiny bit of bloat, but hey, there’s tons of security holes I’m sure I’m open to these days since technology is all about shoveling in features instead of fixing problems.
1 user thanked author for this post.
anonymous
Guest“INSECURE shell extension is loaded into explorer.exe” Probably need a bit more elaboration on that. The 7Z DLL (7-zip.dll) contains a relocation table and is linked with dynamicbase, so ASLR should work. Maybe there is something else wrong with it.
It is the .exe files that has the relocation stripped, and not linked with dynamicbase. I’ll give the developer credit though. He knows the two go together. I’ve seen some others with dynamicbase but no relocation table, like VLC.
1 user thanked author for this post.
-
MrBrian
AskWoody_MVP -
anonymous
GuestWhile your previous comments did rule out the ASLR aspect, it requires that we assume that some deficiency in the ASLR implementation was why the integration of 7-Zip into explorer.exe results in a problem, a conclusion I disagree with, and what you tested.
I hate assumptions. So, if the author of the critique had mentioned that the integration of 7-Zip into explorer resulted in inferior security of explorer because of the ASLR deficiency, well then I would have been satisfied (although I disagree with that conclusion). That was certainly in the context of the review. But, still, the way it was worded left open the possibility that something else in 7-Zip.dll creates a problem, and if so, I would have liked to seen an elaboration of such other problem.
EDIT html to text
-
MidwestMark
AskWoody LoungerDid anyone check the Peazip binary if all 3 of these switches are enabled? I’m sticking with the built-in Windows10 zip functionality until I can find out. I’ll use a portable version of Peazip if I have to use one of these more powerful utilities until I can confirm it.
Security should be the top priority for all software, because even if you do try your best – there’s always new vulnerabilities to be found. So if you’re not even trying to make security a priority…
Steve
AskWoody PlusI apologize if this is way after the date this was published; but I have 7-Zip, however, I more frequently use WinRAR. I have a version which was registered to my old (out-of-service) Windows Vista computer.
I downloaded the V4 version of WinRAR onto my new(er) computer running Windows 7 x64, and, as a try, input the registration code from the Vista version.
Hoky smokes, Bullwinkle. It took it.
[EDITED – pls refer to Lounge Rules] I have a version of 7-Zip, but for my purposes, are more attuned to using WinRAR.
Some of the semi-anonymous uploaders I utilize will not accept a .7z file – but will accept a .rar file. So that is the file compression scheme I prefer.
Important links you can use, without the monetization pitch = https://pqrs-ltd.xyz/bookmark4.htmlViewing 32 reply threads -

Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 11, Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.
Search Newsletters
Search Forums
View the Forum
Search for Topics
Recent Topics
-
Just a fyi – I think I’ll skip on an Apple Vision Pro hardware section
by
Susan Bradley
5 hours, 44 minutes ago -
What’s wrong with Windows 11?
by
Ascaris
3 hours, 54 minutes ago -
Streaming an iPad to a standard TV
by
MrJimPhelps
1 hour, 35 minutes ago -
clone to make backup laptop
by
greenbergman
10 hours, 25 minutes ago -
Problems with sound and USB ports
by
StavRoss
9 hours, 50 minutes ago -
Can you use WUShowHide on Windows 11 version 21H2?
by
southieguy
6 hours, 18 minutes ago -
Can we control the changes to our operating systems?
by
Susan Bradley
6 hours, 19 minutes ago -
Watch out for fake ‘Windows Defender’ scare
by
B. Livingston
5 hours, 40 minutes ago -
Diagnostics and testing? Get it all done in a flash.
by
Ben Myers
54 minutes ago -
Dip your toe into Visio Online
by
Peter Deegan
9 hours, 59 minutes ago -
Updating Win 10 Pro 21H2 to 22H2
by
bsqrd
8 hours, 1 minute ago -
Changing mouse pointer options.
by
Artie
11 hours, 17 minutes ago -
Desktop or Laptop? What’s your choice?
by
Susan Bradley
2 hours, 1 minute ago -
Anyone use Auslogics Bitreplica
by
WSjcgc50
1 day, 21 hours ago -
Unleashing the Gaming Revolution: CrossOver Mac’s DirectX 12 Support Update!
by
Alex5723
2 days, 10 hours ago -
Defender’s Offline Scan Fails to Run
by
E Pericoloso Sporgersi
1 day, 16 hours ago -
Mouse problem : cannot grab a window without maximizing it
by
Andy M
1 day, 23 hours ago -
End of support for Cortana in Windows
by
Alex5723
1 day, 9 hours ago -
Microsoft is really missing an advertising trick
by
Sky
2 days, 9 hours ago -
New MOVEit Transfer zero-day mass-exploited in data theft attacks
by
Alex5723
3 days, 9 hours ago -
Windows 11 Insider Preview build 25381 released to Canary
by
joep517
3 days, 9 hours ago -
Authenticating Email Address
by
IreneLinda
3 hours, 26 minutes ago -
Confusion about password protecting a folder in W10
by
Cthru
3 days, 11 hours ago -
I broke my right arm yesterday
by
Alex5723
1 day, 12 hours ago -
Kaspersky : iOS devices targeted with previously unknown malware
by
Alex5723
3 days, 8 hours ago -
Which Updates From Each List Are Safe to Install ?
by
TheFamilyIT
1 day ago -
AOL changes its web based email
by
Charlie
3 days, 7 hours ago -
Windows 11 Insider Preview build 23471 released to DEV
by
joep517
4 days, 9 hours ago -
Windows 11 Insider Preview Build 22621.1830 and 22624.1830 released to BETA
by
joep517
4 days, 9 hours ago -
Spyboy Defense Evasion Tool Advertised Online
by
Alex5723
4 days, 17 hours ago
Recent blog posts
- Can we control the changes to our operating systems?
- Watch out for fake ‘Windows Defender’ scare
- Diagnostics and testing? Get it all done in a flash.
- Dip your toe into Visio Online
- Desktop or Laptop? What’s your choice?
- Beware of Google’s .ZIP domain and password-embedded URLs
- Longstanding feature requests, and their status
- Three typing tutors — no more “hunt and peck”
Key Links
Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.
Mastodon profile for DefConPatch
Mastodon profile for AskWoody
Home • About • FAQ • Posts & Privacy • Forums • My Account
Register • Free Newsletter • Plus Membership • Gift Certificates • MS-DEFCON Alerts
Copyright ©2004-2023 by AskWoody Tech LLC. All Rights Reserved.