Get 7-Zip updated now

Topic

New Reply

Igor Pavlov, the developer behind my favorite zipping routine, published an important security update on Jan. 28. Description and full instructions co
[See the full post at: Get 7-Zip updated now]

6 users thanked author for this post.

GoneToPlaid, RamRod, SueW, Tiernan, AJNorth, MrBrian

Reply | Quote

Replies

Thanks for the heads up, Woody!  7-Zip is one of my favourite utilities too, and will be updated on all my hardware by the end of the day.

Reply | Quote

me being german user, using german version of 7-zip, might have to wait for german version of 18.01 to be available. i don’t want english 7-zip installed on my german system.

on 7-zip.de there is still 16.04 latest version. http://www.7-zip.de/download.html

1 user thanked author for this post.

woody

Reply | Quote

Anon #163164 said:
i don’t want english 7-zip installed on my german system.

The \Lang\de.txt file in the install folder of 7-zip obtained from the English website is dated 28 Jan 2018.

Between v16.xx & v18.01, I don’t see any GUI changes or new fields. And running the 7-zip EXE installer does not require any reading or user input.

If you are concerned about the security vulnerabilities disclosed in Dec 2017, you can perhaps install 7-zip from the English website, before subsequently installing the version from the German website over the English version.

If 7-zip from the English website opens with an English GUI, try changing the language at:
> Menu: Tools
> Options
> Language tab

1 user thanked author for this post.

Reply | Quote

thx. just risked it and installed v18.01 from original website over my german version.
now running version 18.01 and it still seems to be fully localized in german language.

Reply | Quote

I seem to recall having to manually uninstall the old version(s).  In other words, I believe if you run the latest installer, it will not automatically uninstall any prior versions.

This may no longer be the case but I wouldn’t know since my standard practice is to first uninstall the old 7-zip install (like I just did now!).

Reply | Quote

I installed it right over the top of the old version and, after rebooting, it’s at 18.01.

1 user thanked author for this post.

SueW

Reply | Quote

Yes, the new version will run but, if I recall correctly, the older version remains installed.  Check your program list.

1 user thanked author for this post.

samak

Reply | Quote

Yes, both showed up as installed programs in Control Panel.

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

1 user thanked author for this post.

SueW

Reply | Quote

Do both show up even after a re-boot?

Reply | Quote

Don’t know, didn’t try it. I just uninstalled both and then reinstalled the latest version.

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

Reply | Quote

Only the latest version of 7-Zip showing on my Programs & Features screen.

Just ran the new 7z1801-x64.exe file and it installed over version 7z1604-x64.exe

Every file in the “Program Files/7-Zip” folder and the “Lang” sub-folder are dated with 1/28/2018.

Reply | Quote

Which OS are you running?

Reply | Quote

On my Win 7 x64, as is my usual practice for 7-zip, I installed the new version over the existing version after making sure that 7-zip isn’t running.

For 7-zip v16.04 stable & older, the installer would always prompt for a reboot. If I rebooted immediately after installation, the system would register that 7-zip had been upgraded to a new version, & reflect this accordingly at the ‘Programs & Features’ pane.

If I delayed the reboot, the system upon subsequent bootups would fail to notice that I’d installed a new version of 7-zip, even though all files in its install folder were successfully updated. And the ‘Programs & Features’ pane would continue to show the older 7-zip version.

This time round, surprisingly enough, 7-zip v18.01 stable‘s installer did not prompt for a reboot. But the new version is reflected at the ‘Programs & Features’ pane. Meanwhile, all files in 7-zip’s install folder are updated to the latest version — except for 7-zip.dll (shell extension) which remains the old version. It turns out that the installer had instead renamed the new version to 7-zip.dll.tmp.

Not sure if a reboot would’ve removed the aforementioned old DLL file. In any case, I unlocked & deleted the old DLL file, & renamed the new DLL to its rightful filename. That was almost 2 days ago, & so far, all 7-zip operations work fine.

Reply | Quote

I have always gotten 7zip from the SourceForge web site which is secure. Here is the web page for the latest 7-zip version 18.01:

https://sourceforge.net/projects/sevenzip/files/7-Zip/18.01/

The above page also has 7-zip msi installers as well.

2 users thanked author for this post.

BobbyB, woody

Reply | Quote

I recall a great brouhaha about the location of the 7-Zip binaries — and was surprised to see that 7-Zip itself now points to the 7-Zip site.

SourceForge is good, too, of course.

Reply | Quote

However, 7-zip’s main site is non-HTTPS, & also doesn’t publish the checksums for the respective files.

As such, from a security point of view, it might be safer to obtain the files from Sourceforge.

Reply | Quote

7-Zip is also available on Ninite. If you already have 7-Zip installed, running the Ninite Installer for 7-Zip will update it. Quick, easy, simple, and painless; took me ten seconds to update 7-Zip with Ninite. Strongly recommend. Sanity in a world plagued by Microsoft making things complicated.

Reply | Quote

For each of these machines, should I install the .exe or the .msi?

– XP SP3 32-bit (updated via the POS hack)

– Win 7 Pro SP1 64-bit

– Win 10 Pro 64-bit

What is the diff between an .exe and a .msi anyway?

Reply | Quote

An .exe is a generically compiled executable file. In this case, the executable contains the installation of an application. But an .exe can be pretty much that can run on Windows.

When you install an .exe, you’ll get the stupid typical boring questions that you have to give attention to them and answer next next next next.

An .msi is an installation file for Windows. Apart from installing a program, it allows some switches to be activated, such as quiet (no output to the screen), and is more manageable for corporate environments.

Some more info:

https://en.wikipedia.org/wiki/Windows_Installer

1 user thanked author for this post.

SueW

Reply | Quote

Uninstalling an MSI installed software correctly requires access to the original .msi installer. A .exe installer should uninstall without needing the original installer to be present.

1 user thanked author for this post.

SueW

Reply | Quote

glnz said:
For each of these machines, should I install the .exe or the .msi? […] What is the diff between an .exe and a .msi anyway?

Since there are just 3 PCs you want to install 7-zip to, EXE installers are fine. EXE installers are generally smaller in filesize, & they can also be deployed on standalone PCs not connected to any network.

And depending on the developer, some EXE installers may come with command-line switches to allow silent unattended installation, eg. for cases where the installer comes with multiple screens requiring user input.

However, 7-zip’s EXE installer does not come with multiple screens. It’s a 1-step process (ie. click to run the installer), which copies the files to the default install folder. You may be prompted to reboot the PC to complete the installation process.

For corporate environments with multiple networked PCs, MSI installers are preferred because they allow mass deployment via Windows Group Policy.

Reply | Quote

Updating 7-zip could be simpler. It could automatically update, preferably through the windows store.

Really wish it was in there. If there’s security issues, it should be automatically updating.

Reply | Quote

I GREATLY prefer manual updating over auto anything, except AV programs.

Notifications of a new version are OK when you launch the program, as long as it lets you use the program without doing the update. Automatically checking is fine if it is frequently updated, but only if you can modify or turn the checking schedule off. I usually turn that capability off if possible.

For this program, the last update was in 2016. Why use resources to constantly check on programs not frequently updated.

This is how user control erodes.

3 users thanked author for this post.

samak, SueW, PerthMike

Reply | Quote

Thanks. I updated last night when I saw it on Tweakguides.

I was going to post the info here, but there you were!

I updated over 16.04-64. After the install finished, I went to the Z-Zip folder in Program Files and all the files except 7z.dll were dated the same. There was also a file 7z.dll.tmp with the new date. I then closed file explorer, and re-opened it, the old 16.04 file had disappeared and the new 18.01 7z.dll was present.

Control Panel only shows the current version, 18.01.

2 users thanked author for this post.

SueW, MrBrian

Reply | Quote

Bill C. said:
After the install finished, I went to the Z-Zip folder in Program Files and all the files except 7z.dll were dated the same. There was also a file 7z.dll.tmp with the new date. I then closed file explorer, and re-opened it, the old 16.04 file had disappeared and the new 18.01 7z.dll was present.

Sounds similar to my experience in upgrading from 7-zip v16.04 (x64) stable to v18.01 (x64) stable on Win 7 x64:
https://www.askwoody.com/forums/topic/get-7-zip-updated-now/#post-163522

A few seconds after 7-zip installation was completed, when I tapped the Windows key to access the Start Menu, explorer.exe unexpectedly crashed. No program was running at that time.

When I went to 7-zip’s install folder, I found that 7-zip.dll  (7-zip’s shell extension for context menu’s right-click) was still v16.04, alongside an extra 7-zip.dll.tmp which was v18.01. This differs from your comment vis-a-vis 7z.dll  & 7z.dll .tmp  — which I assume aren’t typos.

Even after I opened & closed Win Explorer a couple of times, followed by terminating & restarting the explorer.exe process twice via Task Manager, 7-zip.dll refused to get itself updated to the new version. So what I did was to unlock & delete the old 7-zip.dll, before deleting the “tmp” extension from 7-zip.dll.tmp.

Seems that the installer for recent 7-zip versions (stable & beta) might be a little buggy — in that it may fail to unlock whatever 7-zip file that was locked, before attempting to replace the old file(s) with the new ones.

And apparently, uninstallation of recent 7-zip versions may go similarly awry. On 24 Dec 2017, a user reported at the official 7-zip forum that as of beginning of Dec 2017, 7-zip.dll remains locked in 7-zip’s folder & can’t be removed, despite repeated uninstalls, re-installs & uninstalls of 7-zip. So 7-zip persists as a zombie item in his Win Explorer’s context menu. Presumably, he had rebooted the system at least once between early Dec & 24 Dec, so this issue is probably not due to a lack of reboot.

1 user thanked author for this post.

MrBrian

Reply | Quote

anonymous wrote:

me being german user, using german version of 7-zip, might have to wait for german version of 18.01 to be available. i don’t want english 7-zip installed on my german system. on 7-zip.de there is still 16.04 latest version. http://www.7-zip.de/download.html

You seem to have no trouble using English. You speak/type it just fine.

No matter where you go, there you are.

Reply | Quote

Hi Woody,

I read your Computerworld article about the newly discovered 7-Zip vulnerabilities. More important to me was the link in your article which described the two security holes which were found in 7-Zip. The reason I mention this is in relation to antivirus programs and the user selectable settings for scanning options. Let me explain…

Many AV programs have an option to scan within compressed files when scanning newly downloaded files, or when scanning the entire computer. The issue is that the AV program, when scanning compressed files, uses its own decompressor (or unpacker) in order to scan within compressed files. Thus, the same types of vulnerabilities which were found in how 7-Zip decompresses files may be present in the AV program’s decompressor. In fact, such flaws have been found in an AV program’s decompressor at least once in the past. This is one reason why, aside from the differences in speed when performing full scans of a computer, many AV programs have an option to either enable or disable scanning within compressed files.

Thus it boils down to just how much a user trusts their AV program’s ability to properly scan within compressed files. Does the user enable scanning within compressed files, trusting that the AV program’s decompressor doesn’t get breached in the process? Or does the user more greatly trust their AV program’s ability to detect malware when the compressed file is executed? This is very much the which came first joke — the chicken or the egg.

If the AV program’s decompressor is flawed, then malware could silently install simply when the AV program tries to scan within the compressed archive file, such as a packed EXE file. In this scenario, the EXE file was never run by the user, yet the AV program’s decompressor was breached when the AV program’s decompressor tried to scan within the packed EXE file.

On the other hand and if the AV program was configured to never scan within compressed archive files, the AV program might well indeed detect and block malicious code within the compressed EXE file when the user launches the compressed EXE file which first unpacks itself in order to run.

Like I said, it is the chicken or the egg — given the plethora of compression and packing formats which an AV program’s built-in decompressor has to know about, in order to for the AV program to be able to scan within compressed files.

2 users thanked author for this post.

Cascadian, MrBrian

Reply | Quote

GoneToPlaid said:
The issue is that the AV program, when scanning compressed files, uses its own decompressor (or unpacker) in order to scan within compressed files. Thus, the same types of vulnerabilities which were found in how 7-Zip decompresses files may be present in the AV program’s decompressor.

I use MalwareBytes v1.75, which includes 7z.dll as a standalone file in its install folder. When 7-zip is updated, I always replace MalwareBytes’s copy of the DLL with the new version.

Note that the replacement 7z.dll must be 32-bit (extract it from the 32-bit EXE installer), because Malwarebytes (which is 32-bit) will refuse to run if the 64-bit DLL is used, even when the host system is 64-bit.

On a related note, for those using other file archivers such as the following …

• PeaZip uses standalone 7z.dll, 7z.exe, 7z.sfx & 7zCon.sfx. So be sure to replace with the updated binaries, as the latest version of PeaZip (v6.5.0) was released on 22 Oct 2017.
• Bandizip can create & extract 7-zip archives, but the application folder does not contain standalone 7-zip binaries. Considering that the latest version of Bandizip (v6.10) was released on 18 Sep 2017, if Bandizip does use 7-zip binaries under the hood, it may not be safe to use Bandizip for 7-zip archives.

1 user thanked author for this post.

MrBrian

Reply | Quote

I too had a program that has some 7Zip files incorporated. It was a few years ago, and I cannot remember what it was, but I was using the PSI program that checked for updates and patches. It flagged 7Zip as needing an update. I updated it, but I kept getting the warning. I finally used the feature that opened the folder with the offending file and found it was not 7Zip but the other program. I copied the new file out of the new 7Zip install to the older program. I tested if it still worked, it did, so I rescanned and the warning was gone.

Reply | Quote

Bill C. said:
I was using the PSI program that checked for updates and patches. […] I finally used the feature that opened the folder with the offending file and found it was not 7Zip but the other program.

That’s great. I suppose you mean Flexera’s Secunia Personal Software Inspector ? I understand that the v3.x versions have a severely dumbed-down GUI & reduced feature-set. And the open file location function you mentioned is one of those there got removed.

https://www.ghacks.net/2012/06/28/secunia-personal-software-inspector-3-0-final-released
Features the company removed included threat ratings, detailed version and program information, as well as links to advisories and other related information.

https://www.ghacks.net/2012/06/28/secunia-personal-software-inspector-3-0-final-released/#comment-1452754
Features like […] show file location and open Secunia vulnerability page will be greatly missed.

The last PSI v2.x (v2.0.0.4003, released: 18 Oct 2011) is still available for download, but reached EOL as of Mar 2017. I assume this means that v2.x can no longer connect to PSI’s binary signature database.

The latest PSI is v3.0.0.11005 (released: 02 Feb 2016), but there is no changelog for this version.

1 user thanked author for this post.

Bill C.

Reply | Quote

Started with v1 and then 2 on XP and used it on WIn7. I then “upgraded” to v3. I used v3 for a short time but it was aweful and would frequently hang or could not generate the report, so I went back to v2 that you cited. It worked up until mid-2017 and I uninstalled it. Looking back I find I am now far more circumspect about anything called an upgrade, thanks to GWX, etc.

I never used it as an updater for the programs or patches. I just used it to scan and then went to the flagged programs website or Windows Update for the patch or updates. Under Secunia it had a support forum and lots of tips. However with Flexara it felt like the red-headed stepchild or was treated like a houseplant left by a prior tenant when you move into an apartment and was just never watered. It still has the Forum, but it is less active. In fairness that could be good and everything is working smoothly, but I suspect teh user base is much smaller. Too bad it was a great tool.

Reply | Quote

Bandizip can create & extract 7-zip archives, but the application folder does not contain standalone 7-zip binaries.

Update: A new Bandizip v6.11 (01 Feb 2018) has just been released. The changelog mentions: “Security problem while processing archive password”, as well as “Several minor bugs fixed” amongst other things.

It is not clear if any of the listed changes are related to 7-zip. But even if not, it is still good to use the latest version, since it has at least 1 known security-related fix.

Reply | Quote

Should any of you be “brave” enough to be running Win10Pro V1709 and above the M$ anti-virus now has a controlled access feature in the settings if you wish to run or are having trouble running 7zip inc. the latest version here’s how to add it to prevent the annoying warnings and 7zip just plain not working.

7zip was one of the exceptionally rare free progs. aka “fluff” that came with a brand new machine that I actually liked, in fact fairly indispensible. Mainly due to its speed and multi-functionality with varying genre’s of zip files. In fact “no self respecting machine should be without one.”

2 users thanked author for this post.

Bill C., Cascadian

Reply | Quote

According to the post by landave (who discovered & reported the vulnerabilities), ‘ZIP Shrink: Heap Buffer Overflow’ (CVE-2017-17969) was fixed in v18.00 beta (10 Jan 2018).

However, the below is what he posted regarding the other security vulnerability ‘Memory Corruptions via RAR PPMd’ (CVE-2018-5996):

I have discussed this issue with Igor Pavlov and tried to convince him to enable all three flags.

However, he refused to enable /DYNAMICBASE because he prefers to ship the binaries without relocation table to achieve a minimal binary size.

Moreover, he doesn’t want to enable /GS, because it could affect the runtime as well as the binary size.

At least he will try to enable /NXCOMPAT for the next release. Apparently, it is currently not enabled because 7-Zip is linked with an obsolete linker that doesn’t support the flag.

In other words, v18.01 stable (29 Jan 2018) may or may not include a proper for CVE-2018-5996 because:

• /NXCOMPAT — flag may or may not have been enabled
• /DYNAMICBASE — won’t fix
• /GS — won’t fix

Meanwhile, 7-zip’s changelog does not mention anything about security fixes. v18.00 beta & v18.01 stable only indicate that “Some bugs were fixed” — unless this is opaque code-speak denoting security fixes (but which ones ??).

A few days ago, landave recompiled 7-zip with the /DYNAMICBASE & /GS flags enabled, & the incurred increase in binary size is a grand total of … 8704 bytes (= 8.704 KB):

https://www.reddit.com/r/netsec/comments/7se84r/7zip_multiple_memory_corruptions_via_rar_and_zip/dt6mt2y
The relocation table is actually pretty small. I just tried to compile 7-Zip with VS2017 and /DYNAMICBASE. The main binary 7z.dll is 1,569,792 bytes in total, 9344 bytes (0.595%) of which are used by the relocation table. Enabling stack canaries (/GS) gives me a 1,578,496 byte binary (including the relocation table), so another 8704 bytes more.

1 user thanked author for this post.

MrBrian

Reply | Quote

I have a question I m use WinRar and I see that there is a 7zxa.dll but this dll there isn’t in the 7zip folder if I want to change it with the new version so this 7zxa.dll can be vulnerable?

Reply | Quote

@ Anon #163823
7zxa.dll is the 7-zip standalone extracting plugin for 7z, lzma, cab, zip, gzip, bzip2, Z, & tar formats.

To be on the safer side, it is better to replace it with the latest version, which at least comes with some (if not all) security fixes. The DLL is found in the “Extra” package:

• https://sourceforge.net/projects/sevenzip/files/7-Zip/18.01/7z1801-extra.7z
• (Non-HTTPS Mirror):  http://www.7-zip.org/a/7z1801-extra.7z

The downloaded “Extra” package contains the said DLL as follows:

• \7zxa.dll       => 32-bit
• \x64\7zxa.dll   => 64-bit

Note that the package also contains the similar-looking 7za.dll & \x64\7za.dll,  so be careful not to replace the wrong DLL in WinRAR’s folder.

1 user thanked author for this post.

MrBrian

Reply | Quote

Many thanks, I changed the 7zxa.dll in WinRar

Reply | Quote

A (very non-comprehensive) list of 3rd-party applications that use 7-zip libraries:
http://www.7-zip.org/links.html

Common examples (including some not in 7-zip’s official list):

• SWF Player: Adobe Flash
• Installer Authoring: NSIS, Inno Setup
• File Unpackers: InnoUnp, UniExtract2
• File Compressor/Decompressor: UPX, zlib (?, I know it can decompress 7z archives)
• File Managers: Total Commander, Speed Commander. FAR Manager
• File Archivers: WinRAR, PowerArchiver, Peazip, Bandizip (?, latest: 01 Feb 2018), FreeArc
• Media Players: Foobar2000’s 7-zip plugin (foo_unpack_7z.dll)
• Some .NET applications

If the 3rd-party application is under support, check with its developer/vendor for updates.

Or if updates are not forthcoming soon, replace their 7-zip libraries if possible (ie. if the relevant files are standalone, instead of being embedded).

Malwarebytes (which uses 7z.dll) has just released a new v3.3.1.2183-1.0.262-1.0.3839 (01 Feb 2018). Installer (EXE): https://downloads.malwarebytes.com/file/mb3

As of now, the changelog does not reflect the latest point-release, but based on Malwarebytes’ 31 Jan 2018 forum comment, it appears that the release comes with updated 7-zip binaries.

2 users thanked author for this post.

SueW, MrBrian

Reply | Quote