Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Open Source Security Operating Systems Privacy Software Windows News Technology Build

Dangerous 7-Zip Vulnerabilities Flow To Top Security, Software Tools (theregister.co.uk) 109

mask.of.sanity quotes a report from The Register: Some of the world's biggest security and software vendors will be rushing to patch holes in implementations of the popular 7-Zip compression tool to stop attackers gaining full control of customer machines. Marcin Noga, Cisco security researcher, found and reported the holes to the platform, which could allow attackers to compromise updated machines, giving attackers the same access rights as logged-in users. FireEye and MalwareBytes are two of many products that use 7-Zip. "An out-of-bounds read vulnerability exists in the way 7-Zip handles Universal Disk Format files ... [which] can be triggered by any entry that contains a malformed Long Allocation Descriptor," Colleague of The Register Jaeson Schultz said. The flaws were fixed in 7-Zip 16.00, which was released Tuesday.
This discussion has been archived. No new comments can be posted.

Dangerous 7-Zip Vulnerabilities Flow To Top Security, Software Tools

Comments Filter:
  • I'm glad to see its finally out of beta.

  • by gweihir ( 88907 ) on Thursday May 12, 2016 @11:28PM (#52102635)

    Al least in any sane system, and Windows has started, a few decades late, to use sound OS design practices. So no, not "full control".

    • by aberglas ( 991072 ) on Friday May 13, 2016 @02:22AM (#52103027)

      The myth of root is just that. The days of lots of people sharing the one client computer are long gone. For PCs, most of the good stuff is accessible in user mode. All the documents, email etc.

      • by gweihir ( 88907 )

        You may have a lot of access and control as user, but not "full control".

    • by johannesg ( 664142 ) on Friday May 13, 2016 @02:51AM (#52103085)

      What "sound design practices" would those be? As far as I can tell, the choice is still either full denial (resulting in not being able to use the software), or the keys to the kingdom (based on whether you trust that the developer is kosher and his website has not been compromised). There is no middle ground - "install this, but keep it locked in a sandbox".

      And Linux is just as bad. So what if the OS protects itself from the users? The OS has literally zero value; if it gets wiped, it's 30 minutes work to rebuild it from scratch, less if you made an image. It's the _data_ that is on the machine, completely unprotected by all those clever permission schemes, that will be lost if any compromised software is allowed to run. If you run "rm -rf /", you remove precisely all the files anyone cares about.

      The Linux permission schema was designed when computers were hulking beasts that shared limited resources between many users that needed protection from each other. We then moved through personal (i.e. single user) computers where such protection is of limited use, to today's practice of having each application running in a container - providing data protection in the form of a kind of meta-OS, since the main OS is clearly just not capable enough.

      The whole thing, whether in Windows or in Linux, is just one big clusterfuck of endless wasted effort solving entirely the wrong problem.

      • by gweihir ( 88907 ) on Friday May 13, 2016 @03:30AM (#52103149)

        My take is more that the problem is people not understanding the permission system. Used right, it works pretty well. The whole container-thing comes from people not understanding how to isolate things using the classical UNIX model (and software distributed as binary, of course). Incidentally, containers make you _less_ secure against a competent attacker as they add additional ways to compromise the system and disregard KISS, while pretending otherwise.
         

      • by emil ( 695 )

        I'm pretty sure that the BSD that Bill Joy ran on his VAXes could not nspawn [linuxjournal.com] a container, so I might interject that the Linux privilege system has changed slightly.

        Now, if you don't carefully populate your container, you can easily cause more security problems than you solve.

        • by gweihir ( 88907 )

          I fully agree to that. And from my observations, the way people run containers, they usually get all the original vulnerabilities and in addition those of the container as well. They think that a container is somehow as good as a separate machine.

      • And Linux is just as bad. So what if the OS protects itself from the users? The OS has literally zero value; if it gets wiped, it's 30 minutes work to rebuild it from scratch, less if you made an image. It's the _data_ that is on the machine, completely unprotected by all those clever permission schemes, that will be lost if any compromised software is allowed to run. If you run "rm -rf /", you remove precisely all the files anyone cares about.

        Depends what you're trying to do. If the aim is destroy the user's data, hold it hostage or sift through it for credentials or other useful info, yes, you're screwed.

        But you can't spam email or run a phishing server on a standard port because opening a listener on any port below 1024 requires root. Installing system-level malware requires root. You could set up some kind of user-level autorun but the implementation will likely depend on the shell they're using, Unity, Gnome, KDE, XFCE.

        • by gweihir ( 88907 )

          I might add that preventing things a user starts from destroying all that user's data is not actually a task of the permission system.

          The correct fix for 7z is to fix the vulnerability. As 7z must be able to read and write arbitrary files to do its job, there is _nothing_ the permission system can do, not even MAC like SELinux would help. All those people blaming the "OS" really do not understand what they are talking about.

          • As 7z must be able to read and write arbitrary files to do its job, there is _nothing_ the permission system can do, not even MAC like SELinux would help. All those people blaming the "OS" really do not understand what they are talking about.

            An excellent point. A granular permission system similar to Android's would help in many cases, e.g. preventing a text editor from performing a DDOS attack, but it cannot stop a file manager or archiver from attacking the user's files.

    • by Anonymous Coward

      From 1992 onward C-2 Orange Book security design in Windows NT based OS (NT/2000/XP/7) was HUGE leap over Win9x & certainly Win3.x + below before it (in both stability & security).

      They ALL have Access Control Lists + Group Policies, as far as security goes, on NTFS filesystems & registry level access by user name or group as well!

      APK

      P.S.=> Unless I misunderstood you, I have to ask you - have you actually USED any/all of those versions of Windows before that you made the statement you did? ap

      • by gweihir ( 88907 )

        You misunderstand. The OS has had those for a while, but privilege escalation was not taken seriously on user machines and hence the level of privilege was mostly meaningless as escalation without permission was very easy.

    • I suspect that part of the concern is that 7zip is sometimes found in program installers, which typically do run with elevated permissions. Those are also the places where obsolete versions are probably going to remain embedded forever unless the vendor cares atypically much about fixing them.

      It'll be harder to trick an installer to chew on a suitably malformed file, compared to a user just using 7zip; but if you can manage it, you get a nice, handy, elevated context.
      • by gweihir ( 88907 )

        A clean installer will not work on anything except the files it came with and it will not run any code (package or otherwise) that a user gives to it with elevated privileges. And there we have the problem: On Windows, you are supposed to give root-permissions to far too many things, making them pretty meaningless.

    • by Insightfill ( 554828 ) on Friday May 13, 2016 @07:33AM (#52103849) Homepage

      Al least in any sane system, and Windows has started, a few decades late, to use sound OS design practices. So no, not "full control".

      I haven't had "full control" of my Windows computer in a while. Maybe I can use this 7zip vulnerability to get something back from this beast of Windows 10.

    • by tlhIngan ( 30335 )

      Al least in any sane system, and Windows has started, a few decades late, to use sound OS design practices. So no, not "full control"./blockquotes.

      Depends on the process.

      An antivirus/malware scanner may very well run with elevated privileges since it needs to be able to scan files the user doesn't have direct access to. Thus, it's possible that a carefully crafted 7z file can be used to run code in an elevated mode...

  • Why did the version numbering jump so much? It went from 9.38 to 15.05 in five months with no releases between those two.

    • Re:Version 16? (Score:4, Informative)

      by Anonymous Coward on Friday May 13, 2016 @12:13AM (#52102741)

      "7-Zip uses YEAR.REVISION scheme for version numbers."
      https://sourceforge.net/p/sevenzip/discussion/45797/thread/a8fd6078/#1a6c/4be3/04ce

  • "Anytime the vulnerable code is being run by any sort of privileged account, an attacker can exploit the vulnerability and execute code under those same permissions," ref [theregister.co.uk]
    • by cnettel ( 836611 )
      Yeah, that's precisely what you would expect for a vulnerability in user space code. "Just" unzip a 7-zip file and suddenly any file in your home directory can be compromised... or gone. Run a vulnerability scanner on your e-mail server (with insufficient sandboxing), or on your web server for uploading files, and things get... worse.
  • Dangerous 7-Zip Vulnerabilities Flow To Top Security, Software Tools

    What?

    • Badly worded (Score:5, Informative)

      by DrYak ( 748999 ) on Friday May 13, 2016 @12:51PM (#52106415) Homepage

      7z is a software used to manipulate archives in numerous format (including a few obscure format - one of the most compatible on the market).

      Lots of security software like antivirus need to be able to process archives (e.g.: an antivirus needs to scan all the files packaged into a ZIP archive).
      Some of these security software use 7z as an archive engine.

      7z has a vulnerability when unpacking a specially crafted archive.
      This flaw will extend to security sofware that rely on 7z as a component to help them handle archives.

      Hence "Dangerous 7-Zip Vulnerabilities Flow To Top Security, Software Tools"

      By sending an e-mail with a specially crafted ZIP file attachment, you can b0rk the mail server using an exploit that affects the antivirus in charge of scanning incomming attachments, because that antivirus relied on 7z.

      That means

  • So, when installing a new machine, how do you choose to open zip files? Winzip has that irritating registration screen, Windows native zip opening lacks features, 7zip sucks too, so what do people use these days that's free and downloadable?
    • So, when installing a new machine, how do you choose to open zip files? Winzip has that irritating registration screen, Windows native zip opening lacks features, 7zip sucks too, so what do people use these days that's free and downloadable?

      I doubt there are many implementations of 7zip out there. Chances are anything which can open a .7z file does so by using 7zip's SDK. It's public domain, so there's no reason not to unless you're working in a language that can't link to C libraries.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      What sucks about 7zip?
      That's what I use exclusively.

    • by Anonymous Coward on Friday May 13, 2016 @04:20AM (#52103229)

      "7zip sucks too"

      Totally disagree.

      On Windows it is the best compression tool (all impressive merits of the 7z format aside) simply because it does exactly what you want: installs windows shell commands, which really are invaluable:

        - Right click a folder and choose "Add to xxxx.7z" to make a 7z archive (last used settings) or "Add to xxxx.zip" to make a zip file (last used settings) or "Add to Archive" to bring up the options and customize everything. There are shell commands for sending via email, but I don't use those myself.

        - Right click any archive file and choose "Extract to ...." to dump the contents into a folder in the current directory. There is another option to bring up a dialog and choose where to put the contents.

      At the end of the day, 99.9999% of archive management is covered by these few commands and they really just get the job done.

      It's as nice as right clicking a folder of MP3s and choosing "Play in Winamp". It was good that this was added to VLC, but I also see that Microsoft copied this and now I have an annoying "Play in Windows Media Player" option there as well. I *know* I can get rid of it, but life's too short.

      • Re: (Score:1, Insightful)

        by Anonymous Coward

        WinRAR does all that, but better.

    • I prefer WinRAR.
    • They fixed the vuln in 7zip already. The download is tiny (1.3 MB for 64 bit) and the install/upgrade is nigh-instantaneous. The only thing I know of wrong with 7zip is that when you use drag and drop it extracts to a temp folder and then moves the files, which can have unfortunate results. If you use extract to, you don't have that problem. Hell, maybe they fixed that. Probably not :)

      • They have not fixed it, and the developer says he won't.
        He gave some excuse about not being able to tell what the target of the drop point was until the extraction was done. I believe it was bullshit in 2010, and it's almost certainly bullshit now.

        https://sourceforge.net/p/seve... [sourceforge.net]

  • Can someone please tell me what this means to me?

    I do not work in IT, I work in engineering. Our IT department keeps themselves clueless about CAD & CAD data management & somehow, mainly by default, I am the admin (in my spare time HA! what exactly is spare time?!). I've been using & deploying 7zip on all the clients I install our CAD platforms on.

    Are all these machines at risk? Am I going to get an email from that IT guy yet again?

    • by Anguirel ( 58085 )

      Your local 7-zip copies should probably be updated, but they're not a serious risk. The major thing is to look for an update for your Anti-Virus (assuming you use one). Most AVs use 7z under the hood to scan archives. The vulnerability here would be if someone accidentally grabs a virus-laden archive that was crafted for this express purpose (or one is sent to your e-mail and auto-scanned on receipt before you even get a chance to delete it), the act of the AV scanning it would activate the flaw at the AV's

      • Thank you. This is why I tell people when they download a utility to delete it & download the latest version when they need it again. It's too bad I did not follow my own advice with 7-ZIP. Come Monday I will update all my clients & discuss the AV with the IT folks.

        They are not going to like this at all. There is a really good chance they will freak out & make me remove all 7-ZIP installs completely. They may even have a emergency meeting where they will look to place blame & decide an

  • Ok, so I read the article and my collegues and I use 7-zip quite a bit - so I am trying to figure out if the vulnerability was addressed in the latest release

    I see the article was posted on the 11th, and 7-zip's latest builds seems to be v 16.0 which was published on 5/10 ... but looking at the 7-zip fix history:

    http://www.7-zip.org/history.t... [7-zip.org]

    All I see is that "some bugs were fixed" - this does not fill me with confidence.

    So, I'm just trying to decide if the may 10 update and May 11 release is enough circ

news: gotcha

Working...