Big Vulnerability hits 7-Zip file archiver - gets patched - Download v18.05

by Hilbert Hagedoorn on: 05/03/2018 07:00 AM | source: | 16 comment(s)

If you use, you can and should download v18.05 of the popular 7-Zip file archiver. The free to use WinZip replacement has a very critical vulnerability for which all it needed was a specially prepped RAR file.

This has been addressed with the release of has been fixed with v18.05, I am highlighting this new v18.05 release this much as this is a pretty bad one as it allows remote execution, based on just a RAR file. The security researcher (landave.io) who discovered the vulnerability informed the developer of 7-Zip on the 6th of March this year. it has patched with the release of 7-Zip 18.05, which not only fixes the vulnerability but also adds ASLR security measures.

7-Zip is one of the most popular archivers available on the web, downloaded nearly 450 million times from Sourceforge alone. All users of 7-Zip are advised to update the software to the latest version, I've made a local mirror on Guru3D, which can be downloaded from here.

> Download

2 pages 1 2

BlueRay
Senior Member

Posts: 269
Joined: 2015-11-18

#5543361 Posted on: 05/03/2018 07:07 AM

Yet it doesn't have an auto update or an update notifier. And this is why it's bad and dangerous when applications can't auto update.

Kaarme
Senior Member

Posts: 1699
Joined: 2013-03-10

#5543366 Posted on: 05/03/2018 07:22 AM

Thanks for the heads-up! I doubt I'd have noticed a thing like this otherwise.

386SX
Senior Member

Posts: 586
Joined: 2017-06-26

#5543370 Posted on: 05/03/2018 07:37 AM

@BlueRay: Please keep in mind even update servers may infect themselfes. This has been done in the past multiple times. The last time I know was some kind of banking software which downloaded an infected update (crypto trojan) from its compromised update servers. Because autoupdates were ON by default, half its clients were infected.

On the one hand may be wise to let programs autoupdate themselfes if you trust them >>and the whole chain<<.
On the other hand it may be even better to disable autoupdates and do the patching the manual way on critical infrastructure. Remember the time when Windows 10 updates broke some computers? (Isn't it still a thing today?)
My grandma would be better off with autoupdates which >>I<< enable, for the most important programs.
Personally I feel safer with a weekly "patchday", where I download (or check for) program updates. A big PRO is you do not have to have dozens of programs running in the background, checking for updates every few minutes / hours. Saves bandwidth, ressources and therefore energy (a small bit). "Green IT by disabling autoupdaters." ;-)

I used 7-zip for many many years and still use it today. It offers all the formats you want your archive program to support. RAR, ZIP, 7Z, WIM, ISO and a lot more is supported. That is what I care of the most, after the fact it's free without any hidden fees and does not come with any spyware, adware, other crap bundled. ("Hi FlashPlayer!").

I do not care about the security issue found here. Honestly: Every program has these. But after escalating the issue to the publisher you see if you may trust them in the future. If a bug does not get patched, this is far worse from my point of view than a program who has thousands of bugs but they get fixed in week 1. The publishers of 7-zip did their job right and fixed the bug. They communicated this to the public the right way (AFTER the patch is available but still in a reasonable "short" period of time), so no bad feelings about this.

fantaskarsef
Senior Member

Posts: 11068
Joined: 2014-07-21

#5543371 Posted on: 05/03/2018 07:38 AM

IT department uses 7zip, no update queued as of right now.
IT department releases win10 on newer (Dell) laptops, and I'm not sure they know what to deactivate and what not.

As you might think, my trust in my company's IT department is not that big

BlueRay
Senior Member

Posts: 269
Joined: 2015-11-18

#5543383 Posted on: 05/03/2018 08:20 AM

@386SX I understand that but a notification prompting user to go to the website and download the new version is the bare minimum for security. It is the most popular zip tool yet it expects users to read tech blogs to find out their version is not secure. This is bad.

Robbo9999
Senior Member

Posts: 1350
Joined: 2012-10-07

#5543412 Posted on: 05/03/2018 10:09 AM

Thanks, downloaded & installed!

386SX
Senior Member

Posts: 586
Joined: 2017-06-26

#5543430 Posted on: 05/03/2018 10:46 AM

I understand that but a notification prompting user to go to the website and download the new version is the bare minimum for security. This is bad.

I agree with you with notifications, for any standard user this would be optimal and saves me a lot of work at friends or family. :-)

Fox2232
Senior Member

Posts: 9768
Joined: 2012-07-20

#5543483 Posted on: 05/03/2018 01:14 PM

THX for letting us know, 7z is must for anyone.

Amx85
Senior Member

Posts: 331
Joined: 2016-09-28

#5543484 Posted on: 05/03/2018 01:16 PM

Ohh

H.H. please use this version to bench CPU, Ígor Pávlov is always working to improve 7-zip

greetings

RzrTrek
Senior Member

Posts: 2352
Joined: 2012-04-16

#5543511 Posted on: 05/03/2018 02:20 PM

I'm glad it was dealt with as quickly as they did.

wavetrex
Senior Member

Posts: 691
Joined: 2008-07-16

#5543531 Posted on: 05/03/2018 03:11 PM

One day I discovered Chocolatey:
https://chocolatey.org/

Since that day, updates on free software are no longer a concern.

p.s. - 7-Zip is already updated in the repository - It says version 18.5, and not 18.05 (but it's same thing)

flashmozzg
Senior Member

Posts: 122
Joined: 2013-01-30

#5543661 Posted on: 05/03/2018 09:19 PM

Another reason to upgrade:

The speed for single-thread LZMA/LZMA2 decoding
was increased by 30% in x64 version and by 3% in x86 version.
7-Zip now can use multi-threading for 7z/LZMA2 decoding,
if there are multiple independent data chunks in LZMA2 stream.
7-Zip now can use multi-threading for xz decoding,
if there are multiple blocks in xz stream.
The speed for LZMA/LZMA2 compressing was increased
by 8% for fastest/fast compression levels and
by 3% for normal/maximum compression levels.

nevcairiel
Senior Member

Posts: 625
Joined: 2015-05-19

#5543691 Posted on: 05/04/2018 12:14 AM

You know its not remote code execution if you have to download a file first and open it locally. Whats with the security people these days.

Obviously something like 7-Zip which is not a persistent service of any kind will likely never be affected by Remote Code Execution, since remote hackers cannot interact with it whatsoever - unless you have a web-service that somehow interacts with 7-Zip (to unpack uploaded files, for example), but thats reaching.

heffeque
Senior Member

Posts: 3944
Joined: 2003-03-03

#5543891 Posted on: 05/04/2018 04:29 PM

wavetrex
Senior Member

Posts: 691
Joined: 2008-07-16

#5543907 Posted on: 05/04/2018 05:05 PM

I use PatchMyPC. Real handy and easy.

Nice tool, but that program is a little toy compared to Choco:

"There are 5762 community maintained packages" (currently)

This one is the Windows equivalent of Ubuntu package manager... it can install, uninstall, update software, look for new software in various categories, etc. I a completely different class than that little tool.

Oh, and there is a GUI as well (which I'm using), so I don't mess around with commandline:
https://chocolatey.org/packages/ChocolateyGUI

2 pages 1 2

Post New Comment

Click here to post a comment for this news story on the message forum.