
Multiple 7-Zip Vulnerabilities Discovered - adamnemecek
http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html
======
paulfr
I am appalled at how unseriously 7-zip seems to take security.

The changelog only says "Some bugs were fixed", with no mention that there are
serious security flaws. The homepage doesn't mention any vulnerability.

The installer is not signed, downloads are over HTTP only, and there is no
hash available neither on the homepage or on the forum announcement linked
from the homepage (the latter is served over HTTPS so it would be a reasonable
option); thankfully you can dig around Sourceforge downloads to find a SHA-1
automatically generated by Sourceforge. So I can personally verify the
integrity of downloads, assuming Sourceforge can still be trusted, but 99% of
users won't do this, and more worryingly it's a strong signal that the
developers may not understand or value security very much: you have to wonder
if maybe they're not themselves downloading unsigned software over HTTP all
the time.

~~~
striking
You can be appalled, but it's not like anyone's paying them for the work that
they do.

If you want to help them, I'm sure you could contribute some additions to
their build process or something that would help them tighten up security. But
I think it's funny that you're so shocked that a popular free software project
isn't perfect.

Be the change you want to see.

PS: who cares if the devs are using unsigned software downloaded over HTTP? I
care about using signed software (and then I suppose the transport doesn't
really matter), but that's totally unrelated to what the devs do on their own
computers.

~~~
JetSetWilly
Every time an open source project is criticised, you get people saying "why
are you criticising, you should do the work" \- to the point that this seems
to be a mechanism to shutdown any and all criticism of any open source project
via special pleading.

One can be very grateful for the work done on an open source project, and
recognise that I have no right whatsoever to expect them to hop to it, but I
am always free to criticise their work whether it is free or not. Just because
a project is open source doesn't mean nobody can utter a bad word about it.

~~~
paulfr
Thank you. To be clear, I don't mean that as a criticism of the developers,
who as the parent points out do very useful work and do it for free. But I
feel that it's important to have an objective look at the current shortcomings
in the state of 7-zip security, both in order to understand what needs to be
done to fix it, and in order to warn current users until those issues are
fixed.

7-zip is a widely popular basic utility, like a web browser. A flaw in 7-zip
is very serious, because as I pointed out elsewhere simply opening a .zip file
will allow an attacker to exploit it. And while there is a strong security
culture among web browser developers, 7-zip doesn't seem to have that culture
(yet).

There is certainly a massive budget and manpower difference, but a lack of
mention of security fixes in the changelog and a lack of hashes isn't a
manpower issue, it's a culture issue.

As a side note, compromise of a developer's machine is a big deal in my
opinion: it could be easy for a criminal entity to slip in a tiny change in a
large patch that introduces a vulnerability; and depending on how builds are
performed, a criminal could patch the final .exe with no visible change to the
source code. These are tailored attacks, but for a very widely distributed
program it would easily be worth the criminal's time.

~~~
striking
I'm glad you care so much, but I don't think you can fix a culture issue by
explaining it away. The best way to set a culture where there hasn't been one
before, is to lead by example.

Re: side note; the vulnerability described in the well-known Ken Thompson
paper has been exploited just once in the wild. It's cool, but you could say
the same thing about trusting Windows or proprietary drivers or hardware.

~~~
nickpsecurity
I counter the Thompson claim as vastly overstated risk when I see it here. I
hadn't even heard that it was ever done before. Do you have a link or the
project/time? I try to track these things.

~~~
striking
[https://web.archive.org/web/20100305234633/http://www.h-onli...](https://web.archive.org/web/20100305234633/http://www.h-online.com/security/news/item/Virus-
infects-development-environment-743003.html)

Took some digging, but there it is.

~~~
nickpsecurity
Thanks for digging. I'll be damned! Somebody did pull it off. On my old,
favorite platform as well!? So, one time on record.

Still supports my claim that reproducible builds and Thompson are mainstream
buzzwords where our real concern per Orange Book days should be: coding
defects in compiler source; effects of optimizations; malicious developers;
trusted distribution of _source_ ; bootstrapping first, verified, local
compiler. That's basically a human and machine verified compiler with simple
code and signed zip's. Knocks out Thompson attack as side effect and negates
reptoducible build need except for debugging.

------
Animats
Now this is a case for sandboxing. A decompressor has one input file and one
output directory. It should not have the power to change any state outside
those files.

A key point here is that not all code needs to be secure. Some code just needs
to be kept in a box.

~~~
Splines
Even if it's in a box, you need to pull the thing you want back out of the
box. A malicious file could put a payload into the destination file.

~~~
tekklloneer
Yes, by containing the payload and decompressing it.

The difference is that by not sandboxing it, that malicious file could also
cause its payload to be executed in the permission scope of the decompressor.

------
hcs
The discovered vulnerabilities are in the 7-Zip application's UDF and HFS+
filesystem image support.

~~~
striking
I didn't even realize 7-Zip could open those.

~~~
infogulch
7-Zip is the VLC of file containers.

~~~
giancarlostoro
It is my default whenever I'm on Windows. Everyone loves to close the "trial"
window on software when there's usually a better open source alternative. The
hidden gem in 7-Zip is you can set file association, it's just not enabled by
default which makes it seem more complicated to newcomers than it really is.

~~~
nwah1
PeaZip is like a friendly version of 7zip, and uses the 7zip code. 7zip is not
very well maintained, whereas PeaZip has regular releases.

~~~
poizan42
> 7zip is not very well maintained, whereas PeaZip has regular releases.

16.00 2016-05-10

15.14 2015-12-31

15.12 2015-11-19

15.11 beta 2015-11-14

15.10 beta 2015-11-01

15.09 beta 2015-10-16

15.08 beta 2015-10-01

15.07 beta 2015-09-17

...

How is that not regular?

~~~
nwah1
Perhaps lately. Prior to this past November, the stable release advertised on
their site had been stuck on the same version for years, without even any
point releases. And they use SourceForge for hosting.

The code quality may be excellent, but it just seemed to me that they were not
too well organized, logistically, compared to other projects.

~~~
TeMPOraL
Why would they need regular releases? This is not a web startup, it's an
archive compression/decompression tool. It worked perfectly well 5 years ago.

~~~
giancarlostoro
I was wondering the same. Unless it involves a security being ignored for a
year or more, I don't see much of an issue with a lack of updates. I rather a
developer takes their time to write their code vs. speed coding and publishing
new bugs left and right.

~~~
nwah1
I find it unlikely that there would be no memory leaks needing patching, no
important compiler updates, and no API-compatible dependency updates that
should've been applied to the stable release.

The Linux Kernel, Firefox, and lots of projects have some sort of Long Term
Service branch where simple uncontroversial improvements are added.

Modern best practices for releasing open source software are important, and a
project that doesn't seem aware of any of them makes me concerned about their
attention to detail.

------
mamurphy
I'm a tad confused. Say I had 7-zip installed - how would I be vulnerable?
Hacker Henry knows I use UDF or HFS+ filesystem, AND gets me to trust them and
download their maliciously compressed file, AND I extract it with 7-zip, which
is exploited by one of these vulnerabilities?

If Henry can do all that, why couldn't Henry just get me to trust them and
download a more robust malicious file in the first place without worry to what
type of filesystem and decompression software I use?

~~~
laumars
The vulnerability isn't to do with what file system you're running, it's to do
with using 7-zip to view the contents of archives in those file formats. Which
means if someone wanted to view ala DVD ".iso" which used the UDF
specification, then they could be vulnerable if they use 7-zip.

I remember it used to be common place to open .iso files with WinRar back in
the 90s. I wouldn't be surprised if a sizeable number of people now use 7-zip
similarly

~~~
paulfr
I just did some testing and it's even worse than that: 7-zip completely
ignores the file extension and snoops the file format based on the file
contents only.

So simply opening a malicious ".zip" file on Windows could trigger the HFS+
vulnerability. Using 7-zip to open any file means you have a HUGE attack
surface.

EDIT: One simple way to mitigate this issue would be to just throw a
confirmation prompt if the file extension matches a known format but 7-zip is
about to run a decoder for a different format.

~~~
colejohnson66
IIRC, 7-zip does tell you if the actual format is different. At least it does
when I extract some DMGs; it tells me it's actually an HFS "file".

~~~
paulfr
Not on Windows, at least. The properties dialog can tell you it uses HFS+ if
you ask for it, but it's too late because the HFS+ code has already been
executed.

~~~
colejohnson66
I meant when right clicking the archive am choosing "Extract to..." or
something using Explorer's context menu.

~~~
paulfr
Interesting, it does display a warning in this case! But it doesn't interrupt
extraction so if it's a malicious file the code will still execute.

------
dewyatt
I always found it strange that 7-zip appears to be developed by a single
individual, despite being very popular.

I know the fact that this lone developer apparently resides in Russia has
caused 7-zip to be outright banned in certain places.

~~~
jszymborski
> I know the fact that this lone developer apparently resides in Russia has
> caused 7-zip to be outright banned in certain places.

That's a particularly ignorant approach, especially considering the whole
thing is open-source and auditable.

~~~
dewyatt
_> ignorant_

That's my tax dollars at work. :)

------
ck2
Darn 16.0 upgrade insisted on rebooting my Windows.

Should not be necessary in 2016

~~~
abcd_f
Explorer integration is a finicky business.

One huge tangle of dependencies, most of which concealed by COM abstractions.
Even if you kill explorer.exe, something somewhere may end up holding a
reference to your binary with a reboot being the only way around it.

------
cloudjacker
collective yawn

