Tech News 7 zip is being exploited

7 zip has active exploits, one fix is to delete the help files .chm.

 

[Uncle Mac]

Do you have more from source to back this up???? Concrete Proof Bro..

 

[Sharrow]

Proof? I'm with Mac on this... source?

 

[ibm650]

I did not post the site as I thought it was not allowed

 

[L3GI0N5]

@TheMacGyver @Sharrow https://www.reviewgeek.com/115336/new-7-zip-archiver-hack-reveals-a-long-ignored-windows-vulnerability/

But maybe we should wait until 7zip posts this issue themself

 

[Uncle Mac]

Yes but you can copy and paste all material for the source and just leave out the Links...

 

[juanamm]

I did not post the site as I thought it was not allowed

As Mac said, the news is always complete and citing the source at the end.
To post outside links to cite source use ICODE tag and you won't have any problems.

 

[fulloes]

Hackers with local or remote access to your computer

At that point I think 7zip is the least of your concerns.

And...

I should note that a similar problem

You must be registered for see links

, another archiving tool.

 

[Cyler]

Just to make things clear in a simple and non-technical way.

The issue is not directly with 7zip but rather that it uses a REALLY old (windows XP) system when we press F1 for help. It's called CHM files and it stands for Compiled (or Compressed) HTML. In short, it's an HTML viewer that sadly has Javascript fully enabled and runs locally.

Why can that be an issue?
Because someone can craft a specific file that can enable javascript to do "bad" things such as open a command prompt when they should not. Note here that in order for the command prompt to be elevated, 7zip must run as administrator. If you are an IT... that's a big NO-NO

Who does it affect?
For sure, not most of us. For the time being someone must actually use our PC (has physical access) and I dont think that even with an automated script it can really become hidden.
It does affect tho the IT of various companies that often have restrictions on their PCs (such as no command prompt) as it serves as a way to bypass the said restrictions.
For example, If said PCs have 7zip, one can run a specially crafted compressed file, and they can get a command prompt.

Is it a risk?
Not really. If a dedicated person with knowledge has physical access... you are doomed anyway and he would not use this trick as there are a lot better ones. Please keep in mind that in windows 10 now, in order to open a CHM file, you actually need to unblock it 1st

Solution:
* If you’re worried about this vulnerability, you can simply delete 7zip.chm. It should be under C:\Program Files\7-Zip or C:\Program Files (x86)\7-Zip, depending on whether you use the 64-bit or 32-bit version. Block 7zip updates
* If you are an IT and have a network of PCs... simply set the 7-zip program to only have read and run permissions for all users.
* Remove 7zip and install an app that doesn't use the CHM help system.

Conclusion:
* If you are an IT that is extremely concerned or you like wearing tinfoil hats maybe you should look out for it. For those who do like tinfoil hats, you should remember that ANY software that uses the same Help Subsystem can become equally an issue.
* If you are a person that follows logic and reason, don't worry about it.
* Some websites will use anything to make you click with scary titles.

Hope it helped.

 

[Mr. Edward]

@Cyler Best Explained !! thanks for the info buddy

 

[Toadiller]

Quite frankly, I cannot see the need for javascript to be in CHM either. I mean what, it doesn’t need stuff like jquery, right? (because what kind of documentation file needs to send server side requests). In all honesty, Microsoft shot themselves in the foot making that available in their CHM API/SDK, and I blame microsoft primarily.
Hmm, now what useless feature does that remind me of — oh yes

(That's my ipod btw, was typing that on a phone )

Just to make things clear in a simple and non-technical way.

The issue is not directly with 7zip but rather that it uses a REALLY old (windows XP) system when we press F1 for help. It's called CHM files and it stands for Compiled (or Compressed) HTML. In short, it's an HTML viewer that sadly has Javascript fully enabled and runs locally.

Why can that be an issue?
Because someone can craft a specific file that can enable javascript to do "bad" things such as open a command prompt when they should not. Note here that in order for the command prompt to be elevated, 7zip must run as administrator. If you are an IT... that's a big NO-NO

Who does it affect?
For sure, not most of us. For the time being someone must actually use our PC (has physical access) and I dont think that even with an automated script it can really become hidden.
It does affect tho the IT of various companies that often have restrictions on their PCs (such as no command prompt) as it serves as a way to bypass the said restrictions.
For example, If said PCs have 7zip, one can run a specially crafted compressed file, and they can get a command prompt.

Is it a risk?
Not really. If a dedicated person with knowledge has physical access... you are doomed anyway and he would not use this trick as there are a lot better ones. Please keep in mind that in windows 10 now, in order to open a CHM file, you actually need to unblock it 1st

Solution:
* If you’re worried about this vulnerability, you can simply delete 7zip.chm. It should be under C:\Program Files\7-Zip or C:\Program Files (x86)\7-Zip, depending on whether you use the 64-bit or 32-bit version. Block 7zip updates
* If you are an IT and have a network of PCs... simply set the 7-zip program to only have read and run permissions for all users.
* Remove 7zip and install an app that doesn't use the CHM help system.

Conclusion:
* If you are an IT that is extremely concerned or you like wearing tinfoil hats maybe you should look out for it. For those who do like tinfoil hats, you should remember that ANY software that uses the same Help Subsystem can become equally an issue.
* If you are a person that follows logic and reason, don't worry about it.
* Some websites will use anything to make you click with scary titles.

Hope it helped.

Anyway, just wanted to state my thoughts on the matter.

 

[Cyler]

Quite frankly, I cannot see the need for javascript to be in CHM either. I mean what, it doesn’t need stuff like jquery, right? (because what kind of documentation file needs to send server side requests). In all honesty, Microsoft shot themselves in the foot making that available in their CHM API/SDK, and I blame microsoft primarily.
Hmm, now what useless feature does that remind me of — oh yes

We need to remember that CHM etc was done 20+ years ago, in the XP era when computers, security, and networks/internet were in a different place. Back then it was probably the only way to help developers create interactive help for their programs. It's easy to blame the "big guy" and MS has a share of the blame, but one has to wonder... Why does an often used app with many updates, still uses a help subsystem from 20+ years ago that even windows actually deprecated and blocked???

And we always need to remember, that it's not the tool to blame but the use of it. A knife can be used to save a life and to take a life. Is the knife good or bad? Food for thought.

 

[Sharrow]

Perfectly explained Cyler Thanks.

And to ibm650 Also thanks for bringing this to my attention. Although I'm not that worried about it like Cyler

Thank you everybody for the info and dialogue..

 

[DGrigorescu]

90% (more) of people don't use an archiver for other puprposes than opening files. Don't care about help files or other things.

 

[SiteWizard]

this is wat i have found on this one

Filed under CVE-2022-29072, the vulnerability is using the included 7-Zip Help file, 7-zip.chm, for the exploit. Attackers need to drag and drop files with the 7z extension on to the Help > Contents area in the 7-Zip interface.

Vulnerability details have been published on GitHub. The page provides technical information and a short demonstration video of the exploit.


It is unclear if and when 7-Zip will address the issue. The last update of the application dates back to the release of 7-Zip in December 2021

Users of the application may use the following workaround to mitigate the vulnerability on their devices. Since it is using the included Help file, one way of dealing with the issue is to delete the Help file.

1. Open the 7-Zip installation directory or folder on the system. On Windows, these are usually C:\Program Files\7-Zip or C:\Program Files (x86)\7-Zip, depending on whether the 64-bit or the 32-bit version of the application has been installed.
2. Locate the file 7-Zip.chm; this is the help file. You can open it directly to display its content.
3. Hit the delete button on the keyboard or right-click on the file and select the Delete context menu option, to remove it from the system.
4. You may get a prompt, File Access Denied. If that is the case, select Continue.

The file is moved to the recycle bin of the operating system by default. 7-Zip functionality is not reduced when you delete the help file. The Help file won't open anymore after the deletion, when you select Help > Contents in the 7-Zip File Manager or press the F1-key on the keyboard.

 

[Wichestery2k]

Do you have more from source to back this up???? Concrete Proof Bro..

I properly posted the article here

You must be registered for see links

 

[SiteWizard]

I properly posted the article here

You must be registered for see links

in the mean time our friend and Super Admin knows and have seen the proof ^^...