7-Zip compression program,software contains a severe vulnerability.
Click here to post a comment for 7-Zip compression program,software contains a severe vulnerability. on our message forum
clopezi
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29072
Apparently, the CVE it's disputed...
GamerNerves
What are the best alternatives to this program besides WinRAR? I'm curious if I should try something else.
Mannerheim
Alessio1989
Astyanax
There is no exploitable issue here, the reportee is actually trying to profit on a vulnerability that doesn't exist.
GamerNerves
gianluca
Ven0m
Just take a look at Sourceforge discussion - it totally looks like a scam
https://sourceforge.net/p/sevenzip/bugs/2337/
Help file viewer executes a file... great - you could drag CMD with virtually the same effect.
Priv escalation - without 7-zip process running as system, you can hardly think of 7-zip exposing system user.
Kaarme
I don't even know what's supposed to be 7-zip's "help page" and why I should drag'n'drop files there in the first place. So, regardless of the exploit being real or not, it seems pretty safe.
Coupe
The constant fire alarms for clicks that all these sites do with vulnerabilities is getting REALLY annoying. Especially since I'm a sysadmin.
Some brainless exec reads an article and thinks the end of the world is coming. Let's rush a patch out by today without testing!
LimitbreakOr
FlyBy
It might be relatively harmless to you and me but any evil sub-admin, any unsatisfied employee with modest skills etc.. those just need any easy to use lever to wreck havoc.
Better save than sorry.
spacefrog
According to the discussion on sourceforge it "might" be a vulnerability with the windows compiled help viewer hh.exe , not 7z itself
Essentially 7z uses the windows default app to display its help . The 7zip help comes in the form of an chm file (compiled html) .
CHM has being declared as deprecated already in the past by microsoft, but still they use it themselfs alot , because its quite a handy and compact format.
So if the user has the .CHM filetype assigned to be handled by the default program ( hh.exe - this is the default in vanilla windows i think, but i'm not quite 100% sure ), pressing F1 in 7zip opens the help using that said hh.exe.
The user then can drag a specifically created, malicious html file onto the Help viewer ( hh.exe , i repeat this is a Windows program - i'm not sure if it comes with windows by default),
hh.exe can execute the malicious code in that html file ( if your current user runs with the required privileges )
So inshort:
this is a hh.exe / windows vulnarbility if its a vulnaribility at all
of course you can do the same using a powershell script or dos batch file and have it execute commands according the the users privileges
Just a pretty blown out of proportions case of captain obvious, if you ask me ...
thesebastian
I don't like that the app requires admin rights to be installed (and try to avoid this when there is an Unknown verified publisher). As a workaround I always install 7-zip with following command and no admin rights:
msiexec /i 7z2107-x64.msi INSTALLDIR=%USERPROFILE%\7-Zip\ MSIINSTALLPERUSER=1
Astyanax
TheDeeGee
Still using and have been using WinRar for decades. Going 7-zip would feel like cheating on my partner.
There are pretty neat skins for it as well.
rflair
Moderator
7zip is open source is it not? Or freeware, can't remember.
If there is an exploit it will be fixed.
I've personally gone open-source with as many programs in Windows as possible. I also contribute a few $ their way, not much, but some.
Alessio1989
van_dammesque
Pictus
https://doublecommander.com/
https://doublecommander.com/screenshot.png
The free Double Commander has built-in RAR/7-Zip with a way better interface as it is a very capable file manager.