• Is it time to give up on 7-Zip?

    Posted on March 2, 2018 at 12:15 CST by Comment in the Forums

    I’ve been a 7-Zip fan for, like, forever. That’s why it pains me to report that several people — people who know what they’re doing — are taking 7-Zip to task for failing to keep up with key security features.

    On Jan. 28, I posted an article on Computerworld titled Multiple vulnerabilities in 7-Zip. Get it updated now!

    I thought that Igor Pavlov’s new release, version 18.01, took care of the major security problems. I was wrong.

    The core of the problem: Pavlov refuses to add ASLR (Address Space Layout Randomization) to the product, and won’t compile 7-Zip with the /GS Buffer Security Check flag. (Good overview of both technologies on the ISV Software Security page.)

    This was part of landave’s original complaint:

    I have discussed this issue with Igor Pavlov and tried to convince him to enable all three flags. However, he refused to enable /DYNAMICBASE [the ASLR flag] because he prefers to ship the binaries without relocation table to achieve a minimal binary size. Moreover, he doesn’t want to enable /GS, because it could affect the runtime as well as the binary size.

    So how bad is it? Microsoft Security Response Center engineer (not speaking in an official capacity!) Joseph Bialek says:

    What year is it @7zip ?? You guys still running on 90’s hardware??

    Stefan Kanthak, whom I quoted in the Computerworld Microsoft is distributing security patches through insecure HTTP links article, says in a private message:

    [7-Zip’s] INSECURE shell extension is loaded into explorer.exe, and allows an attacker to leverage its MULTIPLE shortcomings. For example Sun/Oracle made such a blunder when they deployed an outdated MSVCRT71.dll with their Java Runtime Environment, which allowed attackers to take advantage of its flaws.

    I’m not so concerned about individual, manual use, but the incorporation of 7-Zip binaries into other packages. An anonymous poster here on AskWoody came up with a long list of other packages that rely on 7-Zip, including WinRAR, Flash, and some .NET applications.

    I’m not yet ready to throw my copy of 7-Zip in the bit bucket. But I wonder if that’s just inertia.

    Other
DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    April 2025
    S M T W T F S
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.