There is a security flaw in 7-Zip 15. Info here:
http://www.theregister.co.uk/2016/05/12/popular_zip_tool_7zip_pwned_pain_flows_to_top_security_software_tools/

Get the version 16 here: http://www.7-zip.org/



Edited 1 time(s). Last edit at 05/20/2016 11:57AM by JamesD.

It doesn't seem like this affect regular everyday users using 7-zip to decompress archives. Is this something that could affect servers?

It's a bit like leaving your you-beaut safe unlocked inside your well-fortified house. In itself, not a problem... until someone breaks into the house. Yes, the vulnerability will affect the average user, even those who do not normally work in Admin. Those who do work in Admin are especially at risk.

And yes it would affect servers. But then nobody uses servers for desk work, do they?

Gordon.

____________________
Understanding the scope of the problem is the first step on the path to true panic. [Florence Ambrose, "Freefall" 01372 January 22, 2007 http://freefall.purrsia.com/ff1400/fv01372.htm]

Could you kindly provide an example how the vulnerability could affect average non-Admin users?

Assume you're in a User account, but using MalwareBytes, which uses 7-Zip. MB must have significant permissions, usually beyond those required by you in your normal work. An attacker can now use those (M permissions for his own purposes, which might well include resetting a login password (cheap!) or even altering something like Su-Run or CryptoPrevent settings (much more useful).

Obviously, one may expect such an attacker to have gained access through your WLAN by exploiting less-than-strong security measures in the router. Thus provided your WPA2 is provided with high-density long security strings, and the router password is of similar strength, you should be reasonably safe.

"High density" would be the use of [UC,lc,Num} or {UC,lc,Num,Printable} character sets, and "long" would be 11+ characters. In particular, the pre-shared key should be at least 17 characters. Additionally, I consider the use of Ctrl-Alt-Del to be mandatory for user-switching and initial log-on since it cannot be spoofed by any known malware or exploit.

Gordon.

____________________
Understanding the scope of the problem is the first step on the path to true panic. [Florence Ambrose, "Freefall" 01372 January 22, 2007 http://freefall.purrsia.com/ff1400/fv01372.htm]

The bug is a bug, but it isn't critical.

It only affects when the file is placed in an UDF file system, which is used, normally, only with optical media (CD/DVD/Bluray).

True is that distributed optical media images (ISO, CCD, CUE-BIN, MDF) can be opened by 7-zip. But not all are in UDF.

But, really, the chances to distribute malware through a crafted image in UDF, expecting to be opened by 7-zip, aren't likely to happen. Might happen with, for example, pirated games, but I don't see people using 7-zip to manage them, but with image CD burners.

Better to fix the bug than nothing, but isn't something to get alarmed from.



Edited 1 time(s). Last edit at 05/19/2016 02:46PM by JohnHell.

Gordon, thanks for the response. I want you to know that I'm not arguing, just learning. So in this scenario, you are proposing a man-in-the-middle attack, correct? If MalwareBytes signs their updates, then this attack wouldn't be possible, right? Does MalwareBytes use the UDF format for its updates?

Also, how can you force CTRL-ALT-DEL for user switching/logon? Do you mean to disable Fast User Swtiching?

UDF is not a file format, but a file system. The file system is where files are stored.

Under Windows, unless in an optical media, is very unlikely to see that file system being used. Usually NTFS nowadays.

UDF may be more common under Linux/Unix environments and even.... no.


So, answering the question, MalwareBytes won't be distributing files under UDF file system. The updates will be dropped to the OS host file system, this is, usually, NTFS.

EDIT

I read the full description of the exploit and, "the most dangerous", could affect to MAC OS, as the vulnerability affects to HFS+ file system too.

It is rarely used/being accessed in Windows, anyway. MAC users could have problems, anyway, of course.



Edited 2 time(s). Last edit at 05/19/2016 02:45PM by JohnHell.

Quote
anontemp123
... you are proposing a man-in-the-middle attack, correct? If MalwareBytes signs their updates, then this attack wouldn't be possible, right? Does MalwareBytes use the UDF format for its updates?

Also, how can you force CTRL-ALT-DEL for user switching/logon? Do you mean to disable Fast User Swtiching?

Yes, it would be a MitM attack. Outside of trojans and viruses, this is the most feasible attack, and of course malware in itself is totally vulnerable to any up-to-date AV. MitM is not feasible if you're not using the WLAN, that is, not talking to a wireless connection.

In terms of infection, whichever app is using 7-Zip need not be itself corrupted. It would be 7-Zip that is the problem, and any certificates or updates that (for this example) MB has would not be of any importance if your (or MB's) install of 7-Zip has not been upgraded to the latest version which eliminates the bug. MB probably has 7-Zip bundled in, so upgrading it is a Very Good Idea, as also is your personal upgrade to the latest version of 7-Zip.

I agree with JohnHell. The risk is not great, but the upgrade is worth doing anyway just for better features.

No, just enable Secure Logon. User Switching then becomes less fast Irritating, yes. But security is a trade-off between convenience and safety. Think "crossing the street away from a zebra-crossing or traffic lights".

Gordon.

Edit: correct basic mistake.

____________________
Understanding the scope of the problem is the first step on the path to true panic. [Florence Ambrose, "Freefall" 01372 January 22, 2007 http://freefall.purrsia.com/ff1400/fv01372.htm]



Edited 1 time(s). Last edit at 05/17/2016 09:55AM by gordon451.

I misunderstood the exploit. I thought 7-Zip could be used to extract files from a UDF image. So someone could craft a malicious UDF image to trigger the exploit.

In my erroneous thinking, a man-in-the-middle attack would involve MalwareBytes' update request being intercepted and fed such a malicious UDF image -- let's call it UPDATE.UDF. When MalwareBytes would execute its equivalent of "7z x UPDATE.UDF", the attack would occur.

I was commenting that MalwareBytes most likely will check UPDATE.UDF against a public key *before* passing it to 7-Zip, and since that check would fail, even a man-in-the-middle wouldn't work.

I was trying to figure out where exactly my logic is wrong, but I need to rethink what's going on since the exploit is specific to the target filesystem where the files are extracted. Right now, I can't even understand what sort of code would contain vulnerabilities depending on the target filesystems, since file I/O is usually handled by standard libraries.



Edited 1 time(s). Last edit at 05/19/2016 04:29AM by anontemp123.

As JohnHell correctly points out, the primary usage of UDF is in optical media file systems, it's been designed for that purpose. All current versions of Windows understand UDF.

Read the Talos report, which explains the problem in tedious detail. The key words are "arbitrary code execution". Where the code comes from is another problem, but it could well be in the extracted file. The object could be to impose a weakness into the WLAN security, so making a MitM attack easier. OTOH, it could be to run an old virus like "Stoned", or simply switch your monitor off, just to annoy you.

Now the weakness in the exploit is getting somebody to insert a doctored CD or DVD into the slot, then extract a file from the 7z archive. I suspect an attacker would not be targeting a specific machine, but more likely wanting a "cloud" of likely machines to be sampled from time to time. And we are looking at portable machines which would normally be using built-in WiFi rather than desktops which are normally wired to the router and not exposed to the WLAN.

You would not need to explicitly extract the file from the archive. An AV would do that automatically as part of its job, and be the unwitting agent of destruction.

I agree with JohnHell that the bug is not critical. In a standard Risk Assessment, given the probability of a high level of damage from a low rate of occurrence, I would run with a residual of Medium. This is because the skill set required would be somewhat above script-kiddy level and the pay-off would be long-term rather than instant gratification; if you don't normally stuff new games or software collections from unknown publishers into your optical reader slot, you most likely won't ever be hit. This alone makes pirated software a risk to avoid :cool:

Gordon.

____________________
Understanding the scope of the problem is the first step on the path to true panic. [Florence Ambrose, "Freefall" 01372 January 22, 2007 http://freefall.purrsia.com/ff1400/fv01372.htm]



Edited 1 time(s). Last edit at 05/19/2016 01:00PM by gordon451.

Sorry for the following OFF-TOPIC.

@JamesD, browsing through mobile today I noticed the subject of this thread is wrong, as you wrote Z-zip, instead 7-zip.



You, Guenter or Dorian, change it from:
Z-Zip ver 15 flawed. Move to ver 16
to:
7-Zip ver 15 flawed. Move to ver 16

It's funny how eyes trick us and I didn't notice it till today and in a tiny screen hehe.

JohnHell

Thanks for catching the typo. Between age, eyesight, and some health issues, I am having problems with my ideas and expressing the ones I can remember.

Quote
JohnHell
It's funny how eyes trick us and I didn't notice it till today and in a tiny screen hehe.

Hehe, yep, cool!! Usually typos downright jump at me, and it took years of internet reading to finally reduce that annoying reflex. But now have read that headline twenty times too and never noticed a thing, and probably wouldn't have ever! Yep, funny tricks

@Gordon

I read the Talos report. From what I can tell, this vulnerability has nothing to do with the filesystem being read from or written to. A maliciously crafted UDF image (call it FILE.UDF) fed to 7-Zip can exploit the vulnerability by running arbitrary code.

7z x FILE.UDF

Note, the file extensions is arbitrary as far as 7-Zip is concerned. 7-Zip will check itself to see what type of archive is being extracted. So even if you rename FILE.UDF to FILE.7z, it doesn't matter as long as the the file is actually a (maliciously crafted) UDF image.

7z x FILE.7z

As far as MalwareBytes, if they don't sign their updates (and that's a big if), then you could sneak in a malicious update file via a man-in-the-middle attack.

But the more likely scenario is something like this: The K-Meleon wiki is spam-friendly. I edit the wiki with a download link that actually downloads a malicious UDF image I have renamed K-Meleon75.1.7z. Someone gets tricked into downloading that file. When they go to extract it, my "arbitrary code" deletes all instances of Google Chrome from their user account.

It doesn't matter if the user's filesystem is FAT, NTFS, HPFS, etc. The exploit will still work.



Edited 1 time(s). Last edit at 05/21/2016 03:39AM by anontemp123.

I don't really care how the problem works. I just don't want to take a chance that I could facilitate a bad outcome in some way.

I have just upgraded my 7-Zip again. This time to version 16.01.

You are contradicting yourself as that file containing an image file has a file system format in UDF, so, yes, it is important the file system.

Also is true that an image file could be renamed. And here we could discuss why the ***** programs don't warn or resfuse to open when opening files with a mismatch extension.

In my system I have only a couple of programs that don't behave this way when importing files with a mismatch extension. One is a graphics program.

So, we could ask, what is the vector, open files mismatching extensions or the crafted file table of UDF and HFS+?

7-zip updated to version 16.02