Guru3D.com
  • HOME
  • NEWS
    • Channels
    • Archive
  • DOWNLOADS
    • New Downloads
    • Categories
    • Archive
  • GAME REVIEWS
  • ARTICLES
    • Rig of the Month
    • Join ROTM
    • PC Buyers Guide
    • Guru3D VGA Charts
    • Editorials
    • Dated content
  • HARDWARE REVIEWS
    • Videocards
    • Processors
    • Audio
    • Motherboards
    • Memory and Flash
    • SSD Storage
    • Chassis
    • Media Players
    • Power Supply
    • Laptop and Mobile
    • Smartphone
    • Networking
    • Keyboard Mouse
    • Cooling
    • Search articles
    • Knowledgebase
    • More Categories
  • FORUMS
  • NEWSLETTER
  • CONTACT

New Reviews
GALAX GeForce RTX 4070 Ti EX White review
Cougar Terminator gaming chair review
G.Skill TridentZ5 RGB DDR5 7200 CL34 2x16 GB review
ASUS TUF Gaming B760-PLUS WIFI D4 review
Netac NV7000 2 TB NVMe SSD Review
ASUS GeForce RTX 4080 Noctua OC Edition review
MSI Clutch GM51 Wireless mouse review
ASUS ROG STRIX B760-F Gaming WIFI review
Asus ROG Harpe Ace Aim Lab Edition mouse review
SteelSeries Arctis Nova Pro Headset review

New Downloads
HWiNFO Download v7.42
Intel ARC graphics Driver Download Version: 31.0.101.4257
CrystalDiskInfo 9.0.0 Beta4 Download
AIDA64 Download Version 6.88
GeForce 531.41 WHQL driver download
AMD Radeon Software Adrenalin 23.3.2 WHQL download
GeForce 531.29 WHQL driver download
AMD Ryzen Master Utility Download 2.10.2.2367
AMD Radeon Software Adrenalin 23.3.1 WHQL download
Display Driver Uninstaller Download version 18.0.6.1


New Forum Topics
NVidia Anti-Aliasing Guide (updated) G.SKILL Launches Up to DDR5-8200 DDR5 Memory Kits with 24GBx2 and 48GBx2 Capacities All AM5 motherboards (and AM4) comparison spreadsheet The AMD Ryzen All In One Thread /Overclocking/Memory Speeds & Timings/Tweaking/Cooling Part 2 Nvidia Cracks Down on Counterfeit Graphics Cards in Collaboration with Chinese E-commerce Platforms AMD Software: Adrenalin Edition 23.3.2 WHQL - Driver Download and Discussion 7950X3D owners... RTX 4080 Owner's Thread What to do with an old 3800x? Help someone :) Review: GALAX GeForce RTX 4070 Ti EX White




Guru3D.com » News » Big Vulnerability hits 7-Zip file archiver - gets patched - Download v18.05

Big Vulnerability hits 7-Zip file archiver - gets patched - Download v18.05

by Hilbert Hagedoorn on: 05/03/2018 08:00 AM | source: | 16 comment(s)
Big Vulnerability hits 7-Zip file archiver - gets patched - Download v18.05

If you use, you can and should download v18.05 of the popular 7-Zip file archiver. The free to use WinZip replacement has a very critical vulnerability for which all it needed was a specially prepped RAR file. 

This has been addressed with the release of has been fixed with v18.05, I am highlighting this new v18.05 release this much as this is a pretty bad one as it allows remote execution, based on just a RAR file. The security researcher (landave.io) who discovered the vulnerability informed the developer of 7-Zip on the 6th of March this year. it has patched with the release of 7-Zip 18.05, which not only fixes the vulnerability but also adds ASLR security measures.

7-Zip is one of the most popular archivers available on the web, downloaded nearly 450 million times from Sourceforge alone. All users of 7-Zip are advised to update the software to the latest version, I've made a local mirror on Guru3D, which can be downloaded from here.
 

  > Download

 



Big Vulnerability hits 7-Zip file archiver - gets patched - Download v18.05




« Backblaze Hard Drive Stats for Q1 2018 Have Been published - 4TB HGST HDDs Very Reliable · Big Vulnerability hits 7-Zip file archiver - gets patched - Download v18.05 · Gigabyte may ship less than 10 million motherboards in 2018 »

4 pages 1 2 3 4


BlueRay
Senior Member



Posts: 278
Joined: 2015-11-18

#5543361 Posted on: 05/03/2018 08:07 AM
Yet it doesn't have an auto update or an update notifier. And this is why it's bad and dangerous when applications can't auto update.

Kaarme
Senior Member



Posts: 3378
Joined: 2013-03-10

#5543366 Posted on: 05/03/2018 08:22 AM
Thanks for the heads-up! I doubt I'd have noticed a thing like this otherwise.

386SX
Senior Member



Posts: 1801
Joined: 2017-06-26

#5543370 Posted on: 05/03/2018 08:37 AM
@BlueRay: Please keep in mind even update servers may infect themselfes. This has been done in the past multiple times. The last time I know was some kind of banking software which downloaded an infected update (crypto trojan) from its compromised update servers. Because autoupdates were ON by default, half its clients were infected.

On the one hand may be wise to let programs autoupdate themselfes if you trust them >>and the whole chain<<.
On the other hand it may be even better to disable autoupdates and do the patching the manual way on critical infrastructure. Remember the time when Windows 10 updates broke some computers? (Isn't it still a thing today?)
My grandma would be better off with autoupdates which >>I<< enable, for the most important programs.
Personally I feel safer with a weekly "patchday", where I download (or check for) program updates. A big PRO is you do not have to have dozens of programs running in the background, checking for updates every few minutes / hours. Saves bandwidth, ressources and therefore energy (a small bit). "Green IT by disabling autoupdaters." ;-)

I used 7-zip for many many years and still use it today. It offers all the formats you want your archive program to support. RAR, ZIP, 7Z, WIM, ISO and a lot more is supported. That is what I care of the most, after the fact it's free without any hidden fees and does not come with any spyware, adware, other crap bundled. ("Hi FlashPlayer!").

I do not care about the security issue found here. Honestly: Every program has these. But after escalating the issue to the publisher you see if you may trust them in the future. If a bug does not get patched, this is far worse from my point of view than a program who has thousands of bugs but they get fixed in week 1. The publishers of 7-zip did their job right and fixed the bug. They communicated this to the public the right way (AFTER the patch is available but still in a reasonable "short" period of time), so no bad feelings about this.

fantaskarsef
Senior Member



Posts: 14328
Joined: 2014-07-21

#5543371 Posted on: 05/03/2018 08:38 AM
IT department uses 7zip, no update queued as of right now.
IT department releases win10 on newer (Dell) laptops, and I'm not sure they know what to deactivate and what not.

As you might think, my trust in my company's IT department is not that big :D

BlueRay
Senior Member



Posts: 278
Joined: 2015-11-18

#5543383 Posted on: 05/03/2018 09:20 AM
@386SX I understand that but a notification prompting user to go to the website and download the new version is the bare minimum for security. It is the most popular zip tool yet it expects users to read tech blogs to find out their version is not secure. This is bad.

4 pages 1 2 3 4


Post New Comment
Click here to post a comment for this news story on the message forum.


Guru3D.com © 2023