7-Zip compression program,software contains a severe vulnerability.

Discussion in 'Frontpage news' started by Hilbert Hagedoorn, Apr 22, 2022.

  1. Hilbert Hagedoorn

    Hilbert Hagedoorn Don Vito Corleone Staff Member

    Messages:
    45,161
    Likes Received:
    11,883
    GPU:
    AMD | NVIDIA
    386SX likes this.
  2. clopezi

    clopezi Member

    Messages:
    14
    Likes Received:
    9
    GPU:
    RTX 2080
  3. GamerNerves

    GamerNerves Master Guru

    Messages:
    306
    Likes Received:
    72
    GPU:
    RX 5700 XT Nitro+
    What are the best alternatives to this program besides WinRAR? I'm curious if I should try something else.
     
  4. Mannerheim

    Mannerheim Ancient Guru

    Messages:
    4,901
    Likes Received:
    87
    GPU:
    MSI 6800XT
    . ARJ :D
     
    mbk1969 likes this.

  5. Alessio1989

    Alessio1989 Ancient Guru

    Messages:
    2,492
    Likes Received:
    1,012
    GPU:
    .
    Just keep using this program. Just because there is vulnerability doesn't mean you can trigger it in practice. The fact there is even a dispute means it's far than straightforward to trigger it.
     
    alanm and GSDragoon like this.
  6. Astyanax

    Astyanax Ancient Guru

    Messages:
    14,465
    Likes Received:
    5,874
    GPU:
    GTX 1080ti
    There is no exploitable issue here, the reportee is actually trying to profit on a vulnerability that doesn't exist.
     
    KissSh0t likes this.
  7. GamerNerves

    GamerNerves Master Guru

    Messages:
    306
    Likes Received:
    72
    GPU:
    RX 5700 XT Nitro+
    I was thinking that some program could offer an overall improvement, or is 7-zip just strictly the best?
     
  8. gianluca

    gianluca Active Member

    Messages:
    74
    Likes Received:
    12
    GPU:
    GTX 1070 TI 8GB
    Winrar and 7zip are pretty much the best you can get. Winrar is actually better, because you can customize it more and you can add recovery informations on the archive created. Also, I noticed that if you wants to pack a series of images in a cbr/cbz file (the format used to read the digital comics), 7zip gives errors, while winrar always work (the process needs to create a zip archive saved with the extension cbr or cbz).
    I tried winzip and it's improved a lot and has also the ability to use the gpu acceleration. I was able to compress very big folders full of files in few seconds compared to 7zip, using a RX480. But at the moment the best level of compression needs the file format .zipx, that it's not supported by 7zip. Also, I find it difficult to customize the right click menu explorer.

    The best would be a winrar build with opencl acceleration support.
     
    GamerNerves likes this.
  9. Ven0m

    Ven0m Ancient Guru

    Messages:
    1,839
    Likes Received:
    28
    GPU:
    RTX 3080
    Just take a look at Sourceforge discussion - it totally looks like a scam
    https://sourceforge.net/p/sevenzip/bugs/2337/

    Help file viewer executes a file... great - you could drag CMD with virtually the same effect.
    Priv escalation - without 7-zip process running as system, you can hardly think of 7-zip exposing system user.
     
  10. Kaarme

    Kaarme Ancient Guru

    Messages:
    3,203
    Likes Received:
    2,010
    GPU:
    Sapphire 390
    I don't even know what's supposed to be 7-zip's "help page" and why I should drag'n'drop files there in the first place. So, regardless of the exploit being real or not, it seems pretty safe.
     
    alanm and carnivore like this.

  11. Coupe

    Coupe Member

    Messages:
    17
    Likes Received:
    1
    GPU:
    1080ti
    The constant fire alarms for clicks that all these sites do with vulnerabilities is getting REALLY annoying. Especially since I'm a sysadmin.

    Some brainless exec reads an article and thinks the end of the world is coming. Let's rush a patch out by today without testing!
     
    GSDragoon likes this.
  12. LimitbreakOr

    LimitbreakOr Master Guru

    Messages:
    452
    Likes Received:
    43
    GPU:
    RTX 4090
    If the vulnerability is real, you first need to have access to the system before you could use it which is too little too late. This is only dangerous if you have users who could gain administrator rights on a system they have limited access to.
     
  13. FlyBy

    FlyBy Active Member

    Messages:
    66
    Likes Received:
    26
    GPU:
    Asus 1080ti wc
    It might be relatively harmless to you and me but any evil sub-admin, any unsatisfied employee with modest skills etc.. those just need any easy to use lever to wreck havoc.

    Better save than sorry.
     
  14. spacefrog

    spacefrog Active Member

    Messages:
    55
    Likes Received:
    0
    According to the discussion on sourceforge it "might" be a vulnerability with the windows compiled help viewer hh.exe , not 7z itself
    Essentially 7z uses the windows default app to display its help . The 7zip help comes in the form of an chm file (compiled html) .
    CHM has being declared as deprecated already in the past by microsoft, but still they use it themselfs alot , because its quite a handy and compact format.

    So if the user has the .CHM filetype assigned to be handled by the default program ( hh.exe - this is the default in vanilla windows i think, but i'm not quite 100% sure ), pressing F1 in 7zip opens the help using that said hh.exe.
    The user then can drag a specifically created, malicious html file onto the Help viewer ( hh.exe , i repeat this is a Windows program - i'm not sure if it comes with windows by default),
    hh.exe can execute the malicious code in that html file ( if your current user runs with the required privileges )
    So inshort:
    this is a hh.exe / windows vulnarbility if its a vulnaribility at all
    of course you can do the same using a powershell script or dos batch file and have it execute commands according the the users privileges
    Just a pretty blown out of proportions case of captain obvious, if you ask me ...
     
  15. thesebastian

    thesebastian Member Guru

    Messages:
    168
    Likes Received:
    50
    GPU:
    RX 6800 Waterblock
    I don't like that the app requires admin rights to be installed (and try to avoid this when there is an Unknown verified publisher). As a workaround I always install 7-zip with following command and no admin rights:

    msiexec /i 7z2107-x64.msi INSTALLDIR=%USERPROFILE%\7-Zip\ MSIINSTALLPERUSER=1
     

  16. Astyanax

    Astyanax Ancient Guru

    Messages:
    14,465
    Likes Received:
    5,874
    GPU:
    GTX 1080ti
    HH is the only chm viewer that works properly.
     
  17. TheDeeGee

    TheDeeGee Ancient Guru

    Messages:
    8,324
    Likes Received:
    2,310
    GPU:
    NVIDIA GTX 1070 8GB
    Still using and have been using WinRar for decades. Going 7-zip would feel like cheating on my partner.

    There are pretty neat skins for it as well.
     
    SplashDown likes this.
  18. rflair

    rflair Don Coleus Staff Member

    Messages:
    4,442
    Likes Received:
    1,040
    GPU:
    5700XT
    7zip is open source is it not? Or freeware, can't remember.
    If there is an exploit it will be fixed.
    I've personally gone open-source with as many programs in Windows as possible. I also contribute a few $ their way, not much, but some.
     
    Last edited: Apr 23, 2022
    alanm likes this.
  19. Alessio1989

    Alessio1989 Ancient Guru

    Messages:
    2,492
    Likes Received:
    1,012
    GPU:
    .
    it's open source. some restrictions apply for the unrar code "thanks" to winrar (but this is for every archive management software that support winrar archives)
     
  20. van_dammesque

    van_dammesque Member

    Messages:
    42
    Likes Received:
    18
    GPU:
    BenQ XL2410T, 970 s
    Powerarchiver.
     
    GamerNerves likes this.

Share This Page