There’s a new version of 7-Zip

Topic

New Reply

No indication as yet whether the new version 18.06 has the same security problems as the older versions 18.0 thru 18.05. I expect we’ll hear from Land
[See the full post at: There’s a new version of 7-Zip]

4 users thanked author for this post.

SueW, deuce120, Morty, Elly

Reply | Quote

Replies

I already switched to PeaZip. I guess we’ll see whether there’s any reason to go back to 7-Zip.

Reply | Quote

Since PeaZip leverages 7-Zip for 7z archives and interfaces with other file potentially flawed archiving libraries or may not have “this or that” protection feature enabled, I have no clue about what bothers you about using unbundled 7-Zip even with its flaws.

Reply | Quote

The main reason I use PeaZip is that it handles drag and drop better. It doesn’t decompress everything to a folder on my main drive and then copy that folder to the other location. Granted, this is a Windows limitation, but PeaZip at least tries to get around it. The only downside is that it doesn’t support dragging over the taskbar to open up other windows–a feature I’ve bugged them about implementing.

So I don’t know about how it handles security. That said, given that the missing security features are all compile-time issues, it would seem very possible that PeaZip turns on features that the official 7-Zip release does not.

Still, given that 7-Zip opened itself up to bug bounties, it’s possible that the developer is now taking security seriously and will enable these features. It would suck to have a bounty for a known problem, after all.

Reply | Quote

Morty wrote:

I already switched to PeaZip. I guess we’ll see whether there’s any reason to go back to 7-Zip.

In my experience, 7-zip is generally faster (archive & extract) than PeaZip, and that doesn’t seem to be equipment-dependent.

1 user thanked author for this post.

Morty

Reply | Quote

Aha.

I’m also more used to 7-zip.

So let’s see if it came clean.

Thanks.

Reply | Quote

Born says in the article:

Use the .msi installer instead of the .exe version. This avoids DLL hijacking.

What is the .msi installer?  All I see in the 7-Zip article are two .exe files?

Thx

Reply | Quote

The installer file format is .msi (Microsoft installer) instead of .exe (executable). The .msi installer can be downloaded from 7-zip.org

3 users thanked author for this post.

cesmart4125, SueW, woody

Reply | Quote

You have to look on the actual download page (left hand page menu). On there you can find the .msi files.

No matter where you go, there you are.

Reply | Quote

Generally speaking, for any software which offers both files, msi installers are provided for the convenience of administrators who need to use deployment methods like Group Policy or SCCM. Sometimes the deployment tools either do not support exe installers because they are interactive and are difficult to automate or simply work better with the msi installers.
For end users and for any manual installation, in general exe installers contain all the configurations that the developer intended packaged in one file and in some cases even pre-requsite files like Visual C++ runtimes, while the msi do not. There are exceptions though.
I would highly recommend for any manual installation to use the exe file and fall back on msi only if needed or if there are any issues with the exe.

8 users thanked author for this post.

AlexEiffel, SueW, abbodi86, flackcatcher, woody, EstherD, deuce120, PKCano

Reply | Quote

https://sourceforge.net/p/sevenzip/discussion/45797/thread/f1a142fa03/

Reply | Quote

? says: thank you, again PK!

i learn something new every day, here:

https://www.ghacks.net/2009/03/23/msi-or-exe-setup/

off topic? when i update the intel bluetoof i put the download on the desktop and point the device mgr. to the .ini file…

Reply | Quote

The ASLR has been on for a couple of releases now.

https://landave.io/2018/05/7-zip-from-uninitialized-memory-to-remote-code-execution/

“2018-04-30 – 7-Zip 18.05 released, fixing CVE-2018-10115 and enabling ASLR on the executables.”

That would be the executibles ending in .exe or .dll but not the ones ending in .sfx as those still have reloc information stripped.   However, I think the .sfx modules are only used when making a self-extracting zip file, which I never make.

3 users thanked author for this post.

AlexEiffel, AJNorth, woody

Reply | Quote

Yep, I saw that, but I don’t think it absolves 7-Zip entirely. Unless I missed something….

1 user thanked author for this post.

Morty

Reply | Quote

I think the ASLR issue was the lion’s share of the problem.  And I think that the EU has now offered a bounty for security faults in 7-Zip,  so I like the program going forward.

The additional step I do on Win 8.1 (release 3) is to add the following mitigation options.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\7zFM.exe

QWORD MitigationOptions = 10101111311

Third from the right is a “3”.  That controls the ASLR with the strictest option.    Other digits in this mitigation also triggers Control Flow Guard, because unlike ASLR, there is no need for wall-to-wall CFG for it to work in those modules (Microsoft dlls) where it is compiled into.

Don’t know what to say about Win 10 because they merged EMET into the mitigation options, so half of the mitigations is QWORD, half Binary.  If I had that system, I’d use the GUI to slap on some more mitigations starting with Control Flow Guard.

On Win 8.1, I’m happy with the program, and with the bounty option, expect to be happier going forward, as the author of 7-Zip will now receive reinforcements in keeping the program secure.

(Win 7 – only the right 5 “11311” mitigations are available.)

3 users thanked author for this post.

AlexEiffel, abbodi86, woody

Reply | Quote

In post 243426 just above , @woody says

Yep, I saw that, but I don’t think it absolves 7-Zip entirely. Unless I missed something….

@Woody , in the same article you’re talking about having seen, in the section titled “##On Exploit Mitigation” landave talks about the ASLR issues with 7-Zip that have dated back to January, when Igor seemed to flatly refuse to enable ASLR for 7-Zip. He mentions that Igor implemented ASLR in most of the .dll’s for 7-Zip, but didn’t implement it for the actual executables. This is the subject of the first two paragraphs of that section.

In the third paragraph, landave says “Obviously, ASLR can only be effective if all modules are properly randomized. I discussed this with Igor and convinced him to ship the main executables of the new 7-Zip 18.05 with /DYNAMICBASE and relocation table. The 64-bit version still runs with the standard non-high entropy ASLR (presumably because the image base is smaller than 4GB), but this is a minor issue that can be addressed in a future release.”
I added the emphasis at the end of the quote above. Just maybe the referenced “minor issue” above has been addressed with this latest version of 18.06?

I’m thinkin’ that third paragraph might be what ya “missed”???  😉

1 user thanked author for this post.

AlexEiffel

Reply | Quote

So, it’s stay with PeaZip until further notice?

Maybe it’s just me, but it seems a bit slower and not as user-friendly.

Reply | Quote

From the Release Notes at the 7-ZIP official site:

“The bug in 7-Zip 18.02-18.05 was fixed: there was memory leak in xz decoder.”

https://www.7-zip.org/history.txt

Is this the CVE cited before, and the subject of this AskWoody post? So far, nothing from Landave’s Blog about this.

As for PeaZip, which is mentioned in this thread, it has not been updated. It is still at the security level of 7-ZIP 18.05, and has not received an update since October, 2018:

http://www.peazip.org/changelog.html#latest_software_release

-- rc primak

Reply | Quote

I bought and installed PowerArchiever years ago.  What I dont like was the program installed like 100 file .extensions into my registry and they couldnt even remove those file associations.

Does 7-Zip also install a bunch of file associations, needed or not?

I dont want all those in my Windows 10 Pro set up.

Reply | Quote

No, you have to change or add those file associations yourself using the 7-Zip file manager with Administrator privileges.

Reply | Quote

as i first tried installing 7-zip 18.06 using msi installer it wanted me to kill explorer task (pid 4002), as it was “in use”, in order to be able to install. i did not do that, i did not kill explorer task, instead i aborted installation of 7-zip. in second try installation was finished without having to kill explorer task… this request about killing explorer task was gone on second try. what was it in the first place?

PC: Windows 7 Ultimate, 64bit, Group B
Notebook: Windows 8.1, 64bit, Group B

Reply | Quote

Explorer Task usually means there was an application or file system (File Explorer) window open (perhaps minimized or in the background) at the time the install was attempted. Ending this task also forces the window to close. But this way of ending an Explorer Task can render an application or even all of Windows unstable, so it is not recommended to use this method.

Either check your taskbar for minimized windows, or else log out and start fresh with a new Windows session. Check the Notification (System Tray) area for automatic tasks icons, and close these if possible, except for antivirus activities.

I often log out before installing anything if Edge or IE has been active. Even Chrome tends to leave some background processes running even when supposedly “closed”.  Windows Store Apps also don’t really close when they are “closed”. They continue to run (and send “telemetry”) in the background. Sort of like on an Android or iOS phone.

-- rc primak

Reply | Quote

The dll files that ship with 7-Zip provide “context” menus when a file is right-clicked in explorer.    There is two explorer modes, one that provides the shell, an another mode that operates as a file manager.   Probably a dll file to be replaced was in use, or seen as being in use by the installer.

Reply | Quote

I personally still use v9.38 🙂
i have the newest version as portable PAF, in case i need new features (like opening ESD files)

1 user thanked author for this post.

ch100

Reply | Quote

I wasn’t aware of all of this ‘drama’. Makes the developer sound like someone you wouldn’t want to work with. There’s really no excuse for not enabling security features. Especially if the developer just wants bragging rights to say, “My installer is smaller than yours.”

For what it’s worth, I’ve disabled the context menus. I noticed that you have to Run as Admin to be able to turn them off.

Reply | Quote

Really doesn’t help when other vendors are using 7Zip in their products, and a known vulnerable old version at that. For example, I just noticed yesterday that Adobe’s Creative Cloud uses a 7Zip version 16.04 executable in its updater engine (look for 7ZA.exe).

No matter where you go, there you are.

Reply | Quote

Then again, 7za.exe is supposed to be a reduced-capability version with less attack surface. Like the RAR format specific problems, well, 7za.exe doesn’t do RAR anyway. It’s also supposed to not load DLLs I think?

Not saying that it’s necessarily safe, but at least less unsafe than the full version.

Oh well, I’d also hope that a thing like Adobe’s updater would verify package signatures before the unpacking step…

Reply | Quote