Late last year, landave, a self-described “Computer Science student enjoying cryptography, reverse engineering, and other information security topics,
Late last year, landave, a self-described “Computer Science student enjoying cryptography, reverse engineering, and other information security topics,” discovered two startling security holes in 7-Zip, a free zip program I’ve recommended for years.
Bottom line: If you haven’t updated 7-Zip in the past few days, get off your tail and do it now.
The bugs are subtle and, as best as I can tell, have never been leveraged in the wild. But that’s going to change as landave’s analysis reaches the mainstream.
Details of the bugs have to do with 7-Zip memory corruption, made worse by not running ASLR and DEP, and a heap buffer overflow in the shrink routine. Landave applied for, and received, a MITRE number for the latter, CVE-2017-17969.
There’s been a lot of back and forth about the bugs, but the upshot is that 7-Zip’s creator, Igor Pavlov, released a new version of 7-Zip, version 18.01, on Jan. 28. That’s the version you need.
If you use 7-Zip, you can see which version you’re running by starting 7-Zip and clicking on Help > About 7-Zip. If you have a version prior to 18.01, get the new one. Now.
Updating 7-Zip couldn’t be simpler.
Step 1. Go to the official 7-Zip page and click the link to download either the 32-bit or 64-bit version.
Step 2. Right-click on the 7z1801-x64.exe file, and choose Run as administrator. If you get a “Windows protected your PC” message from SmartScreen, mutter an appropriate epithet, click the link for “More information,” then click “Run anyway.”
Step 3. Click yes on the User Account Control prompt, choose a destination folder, let the installer run, and reboot your computer.
7-Zip has a lot of good features. Don’t let it bite you.
Thx to Günter Born
(P.S. Not sure where landave goes to school, but he just published a PhD-worthy dissertation.)
Join us for one-year birthday libations on the AskWoody Lounge.