7 zip has active exploits, one fix is to delete the help files .chm.
https://www.reviewgeek.com/115336/new-7-zip-archiver-hack-reveals-a-long-ignored-windows-vulnerability/
As Mac said, the news is always complete and citing the source at the end.I did not post the site as I thought it was not allowed
Hackers with local or remote access to your computer
I should note that a similar problemYou must be registered for see links, another archiving tool.
Anyway, just wanted to state my thoughts on the matter.Just to make things clear in a simple and non-technical way.
The issue is not directly with 7zip but rather that it uses a REALLY old (windows XP) system when we press F1 for help. It's called CHM files and it stands for Compiled (or Compressed) HTML. In short, it's an HTML viewer that sadly has Javascript fully enabled and runs locally.
Why can that be an issue?
Because someone can craft a specific file that can enable javascript to do "bad" things such as open a command prompt when they should not. Note here that in order for the command prompt to be elevated, 7zip must run as administrator. If you are an IT... that's a big NO-NO
Who does it affect?
For sure, not most of us. For the time being someone must actually use our PC (has physical access) and I dont think that even with an automated script it can really become hidden.
It does affect tho the IT of various companies that often have restrictions on their PCs (such as no command prompt) as it serves as a way to bypass the said restrictions.
For example, If said PCs have 7zip, one can run a specially crafted compressed file, and they can get a command prompt.
Is it a risk?
Not really. If a dedicated person with knowledge has physical access... you are doomed anyway and he would not use this trick as there are a lot better ones. Please keep in mind that in windows 10 now, in order to open a CHM file, you actually need to unblock it 1st
Solution:
* If you’re worried about this vulnerability, you can simply delete 7zip.chm. It should be under C:\Program Files\7-Zip or C:\Program Files (x86)\7-Zip, depending on whether you use the 64-bit or 32-bit version. Block 7zip updates
* If you are an IT and have a network of PCs... simply set the 7-zip program to only have read and run permissions for all users.
* Remove 7zip and install an app that doesn't use the CHM help system.
Conclusion:
* If you are an IT that is extremely concerned or you like wearing tinfoil hats maybe you should look out for it. For those who do like tinfoil hats, you should remember that ANY software that uses the same Help Subsystem can become equally an issue.
* If you are a person that follows logic and reason, don't worry about it.
* Some websites will use anything to make you click with scary titles.
Hope it helped.
Quite frankly, I cannot see the need for javascript to be in CHM either. I mean what, it doesn’t need stuff like jquery, right? (because what kind of documentation file needs to send server side requests). In all honesty, Microsoft shot themselves in the foot making that available in their CHM API/SDK, and I blame microsoft primarily.
Hmm, now what useless feature does that remind me of — oh yes
I properly posted the article hereDo you have more from source to back this up???? Concrete Proof Bro..
in the mean time our friend and Super Admin knows and have seen the proof ^^...I properly posted the article hereYou must be registered for see links