antonyMagnus7221 Posted June 2, 2022 Posted June 2, 2022 7-Zip zero-day vulnerability grants privilege escalation | TechSpot Needs to be addressed. OT and noticed this issue also exists with wrye bash
rmm200 Posted June 3, 2022 Posted June 3, 2022 I will be very interested to see the developer's take on this. While Vortex unpacks .zip files, I have seen no indication that Vortex installs 7-zip. There is not a local copy under any Vortex directory. I would be delighted to see you reproduce this vulnerability using Vortex.As I read it, the hacker would have to have console access and open Vortex's copy of 7-zip Help. I know of no way to do that... I don't think it even exists.
Guest deleted34304850 Posted June 3, 2022 Posted June 3, 2022 you may want to direct this to the 7zip developers. unless tannin42 can hack his way into their codebase and fix it himself?
Community Manager Pickysaurus Posted June 3, 2022 Community Manager Posted June 3, 2022 If this is an exploit in 7zip, surely it's reliant on the creators of 7zip fixing it and releasing a patch?
Tannin42 Posted June 3, 2022 Posted June 3, 2022 The way I read the article the security vulnerability is in the User Interface of 7zip (7zFM.exe), we don't even use that. Vortex uses the 7z command line tool. EDIT: Reading further into it the issue is disputed because it couldn't be reproduced and is now considered a hoax by many.
rmm200 Posted June 3, 2022 Posted June 3, 2022 That was the developer's take I was hoping for. Thanks!
antonyMagnus7221 Posted June 5, 2022 Author Posted June 5, 2022 Thanks for the replies. Still food for thought, seeing as how many vulnerabilities exist today it would be prudent for Vortex to remove the 7Zip program from its software and instead allow users to unpack the files with archive manager of choice no? BTW I did notice this issue was brought up at the 7Zip dev webbie, no telling if they got the message. It is open source after all an looks to me like last update occured before the vulnerability was discovered. Also using Kaspersky vulnerability checker indicates the problem is still found with Wrye Bash and Vortex. just an FYI
rmm200 Posted June 5, 2022 Posted June 5, 2022 I confirm that Kaspersky flags it as a vulnerability: C:\Program Files\Black Tree Gaming Ltd\Vortex\resources\app.asar.unpacked\node_modules\7z-bin\win32\7z.exe And it really does not like Adobe. Flagged a good dozen of their products for Java and Flash.
Guest deleted34304850 Posted June 5, 2022 Posted June 5, 2022 Thanks for the replies. Still food for thought, seeing as how many vulnerabilities exist today it would be prudent for Vortex to remove the 7Zip program from its software and instead allow users to unpack the files with archive manager of choice no? BTW I did notice this issue was brought up at the 7Zip dev webbie, no telling if they got the message. It is open source after all an looks to me like last update occured before the vulnerability was discovered. Also using Kaspersky vulnerability checker indicates the problem is still found with Wrye Bash and Vortex. just an FYIno, that's nonsense.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.