Jump to content

Vortex 7zip extension vulnerability needs patched

antonyMagnus7221

By antonyMagnus7221
in Vortex Support

 Share
Go to solution Solved by Tannin42,

Recommended Posts

rmm200 Grand Master

rmm200

Posted
Posted

I will be very interested to see the developer's take on this.

 

While Vortex unpacks .zip files, I have seen no indication that Vortex installs 7-zip. There is not a local copy under any Vortex directory.

 

I would be delighted to see you reproduce this vulnerability using Vortex.

As I read it, the hacker would have to have console access and open Vortex's copy of 7-zip Help. I know of no way to do that... I don't think it even exists.

Link to comment
Share on other sites
Guest deleted34304850

Guest deleted34304850

Posted
Posted

you may want to direct this to the 7zip developers. unless tannin42 can hack his way into their codebase and fix it himself?

Link to comment
Share on other sites
  • Solution
Tannin42 Veteran

Tannin42

Posted
  • Solution
Posted

The way I read the article the security vulnerability is in the User Interface of 7zip (7zFM.exe), we don't even use that. Vortex uses the 7z command line tool.

 

EDIT: Reading further into it the issue is disputed because it couldn't be reproduced and is now considered a hoax by many.

Link to comment
Share on other sites
antonyMagnus7221 Newbie

antonyMagnus7221

Posted
  • Author
Posted

Thanks for the replies.

 

Still food for thought, seeing as how many vulnerabilities exist today it would be prudent for Vortex to remove the 7Zip program from its software and instead allow users to unpack the files with archive manager of choice no?

 

BTW I did notice this issue was brought up at the 7Zip dev webbie, no telling if they got the message. It is open source after all an looks to me like last update occured before the vulnerability was discovered.

 

Also using Kaspersky vulnerability checker indicates the problem is still found with Wrye Bash and Vortex. just an FYI

Link to comment
Share on other sites
rmm200 Grand Master

rmm200

Posted
Posted

I confirm that Kaspersky flags it as a vulnerability:

 

C:\Program Files\Black Tree Gaming Ltd\Vortex\resources\app.asar.unpacked\node_modules\7z-bin\win32\7z.exe

 

And it really does not like Adobe. Flagged a good dozen of their products for Java and Flash.

Link to comment
Share on other sites
Guest deleted34304850

Guest deleted34304850

Posted
Posted

Thanks for the replies.

 

Still food for thought, seeing as how many vulnerabilities exist today it would be prudent for Vortex to remove the 7Zip program from its software and instead allow users to unpack the files with archive manager of choice no?

 

BTW I did notice this issue was brought up at the 7Zip dev webbie, no telling if they got the message. It is open source after all an looks to me like last update occured before the vulnerability was discovered.

 

Also using Kaspersky vulnerability checker indicates the problem is still found with Wrye Bash and Vortex. just an FYI

no, that's nonsense.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...