1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Big Vulnerability hits 7-Zip file archiver - gets patched - Download v18.05

Discussion in 'Frontpage news' started by Hilbert Hagedoorn, May 3, 2018.

  1. Hilbert Hagedoorn

    Hilbert Hagedoorn Don Vito Corleone Staff Member

    Messages:
    36,071
    Likes Received:
    5,103
    GPU:
    AMD | NVIDIA
    If you use, you can and should download v18.05 of the popular 7-Zip file archiver. The free to use WinZip replacement has a very critical vulnerability for which all it needed was a specially prepped RAR file.

    Read more
     
    Last edited: May 3, 2018
    Neo Cyrus likes this.
  2. BlueRay

    BlueRay Master Guru

    Messages:
    269
    Likes Received:
    62
    GPU:
    EVGA GTX 1070 FTW
    Yet it doesn't have an auto update or an update notifier. And this is why it's bad and dangerous when applications can't auto update.
     
  3. Kaarme

    Kaarme Ancient Guru

    Messages:
    1,621
    Likes Received:
    459
    GPU:
    Sapphire 390
    Thanks for the heads-up! I doubt I'd have noticed a thing like this otherwise.
     
  4. 386SX

    386SX Master Guru

    Messages:
    453
    Likes Received:
    469
    GPU:
    AMD Vega64 RedDevil
    @BlueRay: Please keep in mind even update servers may infect themselfes. This has been done in the past multiple times. The last time I know was some kind of banking software which downloaded an infected update (crypto trojan) from its compromised update servers. Because autoupdates were ON by default, half its clients were infected.

    On the one hand may be wise to let programs autoupdate themselfes if you trust them >>and the whole chain<<.
    On the other hand it may be even better to disable autoupdates and do the patching the manual way on critical infrastructure. Remember the time when Windows 10 updates broke some computers? (Isn't it still a thing today?)
    My grandma would be better off with autoupdates which >>I<< enable, for the most important programs.
    Personally I feel safer with a weekly "patchday", where I download (or check for) program updates. A big PRO is you do not have to have dozens of programs running in the background, checking for updates every few minutes / hours. Saves bandwidth, ressources and therefore energy (a small bit). "Green IT by disabling autoupdaters." ;-)

    I used 7-zip for many many years and still use it today. It offers all the formats you want your archive program to support. RAR, ZIP, 7Z, WIM, ISO and a lot more is supported. That is what I care of the most, after the fact it's free without any hidden fees and does not come with any spyware, adware, other crap bundled. ("Hi FlashPlayer!").

    I do not care about the security issue found here. Honestly: Every program has these. But after escalating the issue to the publisher you see if you may trust them in the future. If a bug does not get patched, this is far worse from my point of view than a program who has thousands of bugs but they get fixed in week 1. The publishers of 7-zip did their job right and fixed the bug. They communicated this to the public the right way (AFTER the patch is available but still in a reasonable "short" period of time), so no bad feelings about this.
     
    Clawedge likes this.

  5. fantaskarsef

    fantaskarsef Ancient Guru

    Messages:
    10,716
    Likes Received:
    2,887
    GPU:
    2080Ti @h2o
    IT department uses 7zip, no update queued as of right now.
    IT department releases win10 on newer (Dell) laptops, and I'm not sure they know what to deactivate and what not.

    As you might think, my trust in my company's IT department is not that big :D
     
    386SX likes this.
  6. BlueRay

    BlueRay Master Guru

    Messages:
    269
    Likes Received:
    62
    GPU:
    EVGA GTX 1070 FTW
    @386SX I understand that but a notification prompting user to go to the website and download the new version is the bare minimum for security. It is the most popular zip tool yet it expects users to read tech blogs to find out their version is not secure. This is bad.
     
    386SX, lucidus and MaCk0y like this.
  7. Robbo9999

    Robbo9999 Maha Guru

    Messages:
    1,317
    Likes Received:
    218
    GPU:
    GTX1070 @2050Mhz
    Thanks, downloaded & installed!
     
  8. 386SX

    386SX Master Guru

    Messages:
    453
    Likes Received:
    469
    GPU:
    AMD Vega64 RedDevil
    I agree with you with notifications, for any standard user this would be optimal and saves me a lot of work at friends or family. :)
     
  9. Fox2232

    Fox2232 Ancient Guru

    Messages:
    9,737
    Likes Received:
    2,198
    GPU:
    5700XT+AW@240Hz
    THX for letting us know, 7z is must for anyone.
     
    Amx85 likes this.
  10. Amx85

    Amx85 Master Guru

    Messages:
    330
    Likes Received:
    9
    GPU:
    MSI R7-260X2GD5/OC
    Ohh

    H.H. please use this version to bench CPU, Ígor Pávlov is always working to improve 7-zip

    greetings
     

  11. RzrTrek

    RzrTrek Ancient Guru

    Messages:
    2,282
    Likes Received:
    587
    GPU:
    RX 580 8GB ❤ 144hz
    I'm glad it was dealt with as quickly as they did.
     
  12. wavetrex

    wavetrex Master Guru

    Messages:
    541
    Likes Received:
    270
    GPU:
    Zotac GTX1080 AMP!
    One day I discovered Chocolatey:
    https://chocolatey.org/

    Since that day, updates on free software are no longer a concern.

    p.s. - 7-Zip is already updated in the repository - It says version 18.5, and not 18.05 (but it's same thing)
     
  13. flashmozzg

    flashmozzg Member Guru

    Messages:
    122
    Likes Received:
    6
    GPU:
    R9 290 4GB @ 947/1250
    Another reason to upgrade:

     
  14. nevcairiel

    nevcairiel Master Guru

    Messages:
    595
    Likes Received:
    187
    GPU:
    MSI 1080 Gaming X
    You know its not remote code execution if you have to download a file first and open it locally. Whats with the security people these days.

    Obviously something like 7-Zip which is not a persistent service of any kind will likely never be affected by Remote Code Execution, since remote hackers cannot interact with it whatsoever - unless you have a web-service that somehow interacts with 7-Zip (to unpack uploaded files, for example), but thats reaching.
     
  15. heffeque

    heffeque Ancient Guru

    Messages:
    3,928
    Likes Received:
    26
    GPU:
    nVidia MX150
    I use PatchMyPC. Real handy and easy.
     

  16. wavetrex

    wavetrex Master Guru

    Messages:
    541
    Likes Received:
    270
    GPU:
    Zotac GTX1080 AMP!
    Nice tool, but that program is a little toy compared to Choco:

    "There are 5762 community maintained packages" (currently)

    This one is the Windows equivalent of Ubuntu package manager... it can install, uninstall, update software, look for new software in various categories, etc. I a completely different class than that little tool.

    Oh, and there is a GUI as well (which I'm using), so I don't mess around with commandline:
    https://chocolatey.org/packages/ChocolateyGUI
     
  17. heffeque

    heffeque Ancient Guru

    Messages:
    3,928
    Likes Received:
    26
    GPU:
    nVidia MX150
    First you disregard it for being a simple and easy GUI tool, then you say that you are using ChocolateyGUI. Very coherent reasoning.

    Sincerely, IMHO PatchMyPC is more than enough for my needs and most people's. Chocolatey is overkill and overly complicated for most commoners.
     

Share This Page