Jump to content
Login new information ×
Login new information
Donations campaign phase one 2024
  • Security & Privacy News

    Workaround for security issue in 7-Zip until it is fixed

    Karlston

    By Karlston,
    Published Date:

    • 501 views
    • 2 minutes
     Share
    • 501 views
    • 2 minutes

    Recent versions of the open source archiver 7-Zip have a vulnerability that has not been fixed yet. Successful exploitation of the vulnerability allows privilege escalation and the execution of commands; it appears that the issue can be exploited locally only.

     

    7-zip-vulnerability-workaround.webp

     

    Filed under CVE-2022-29072, the vulnerability is using the included 7-Zip Help file, 7-zip.chm, for the exploit. Attackers need to drag and drop files with the 7z extension on to the Help > Contents area in the 7-Zip interface.

     

    Vulnerability details have been published on GitHub. The page provides technical information and a short demonstration video of the exploit.

     

    It is unclear if and when 7-Zip will address the issue. The last update of the application dates back to the release of 7-Zip in December 2021

     

    Users of the application may use the following workaround to mitigate the vulnerability on their devices. Since it is using the included Help file, one way of dealing with the issue is to delete the Help file.

     

    1. Open the 7-Zip installation directory or folder on the system. On Windows, these are usually C:\Program Files\7-Zip or C:\Program Files (x86)\7-Zip, depending on whether the 64-bit or the 32-bit version of the application has been installed.
    2. Locate the file 7-Zip.chm; this is the help file. You can open it directly to display its content.
    3. Hit the delete button on the keyboard or right-click on the file and select the Delete context menu option, to remove it from the system.
    4. You may get a prompt, File Access Denied. If that is the case, select Continue.

     

    The file is moved to the recycle bin of the operating system by default. 7-Zip functionality is not reduced when you delete the help file. The Help file won't open anymore after the deletion, when you select Help > Contents in the 7-Zip File Manager or press the F1-key on the keyboard.

     

    Closing Words

     

    Deleting the Help file does not take longer than a minute. While it appears unlikely that the issue is exploited on large scale, most users may want to remove the Help file to protect their systems against exploits targeting the issue.

     

    Now You: which archiver do you use? (via Deskmodder)

     

     

     

    Workaround for security issue in 7-Zip until it is fixed

     Share
    Go to news

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    ×

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...