Here are some Windows 10 RS3+ Process Mitigations for hardening 7-Zip: Spoiler: 7-Zip Process Mitigations Code: <?xml version="1.0" encoding="UTF-8"?> <root> <AppConfig Executable="7z.exe"> <DEP Enable="true" EmulateAtlThunks="false" OverrideDEP="false"></DEP> <ASLR Enable="true" ForceRelocateImages="false" OverrideForceRelocateImages="false" BottomUp="true" HighEntropy="true" OverrideBottomUp="false"></ASLR> <StrictHandle Enable="true" OverrideStrictHandle="false"></StrictHandle> <ExtensionPoints DisableExtensionPoints="true" OverrideExtensionPoint="false"></ExtensionPoints> <ControlFlowGuard Enable="true" SuppressExports="false" OverrideCFG="false"></ControlFlowGuard> <Fonts DisableNonSystemFonts="true" AuditOnly="false" OverrideFontDisable="false" Audit="false"></Fonts> <ImageLoad BlockRemoteImageLoads="true" OverrideBlockRemoteImageLoads="false" BlockLowLabelImageLoads="true" OverrideBlockLowLabel="false" AuditRemoteImageLoads="false" AuditLowLabelImageLoads="false"></ImageLoad> <Payload EnableExportAddressFilter="true" OverrideExportAddressFilter="false" AuditEnableExportAddressFilter="false" EnableExportAddressFilterPlus="true" OverrideExportAddressFilterPlus="false" AuditEnableExportAddressFilterPlus="false" EnableImportAddressFilter="true" OverrideImportAddressFilter="false" AuditEnableImportAddressFilter="false" EnableRopStackPivot="true" OverrideEnableRopStackPivot="false" AuditEnableRopStackPivot="false" EnableRopCallerCheck="true" OverrideEnableRopCallerCheck="false" AuditEnableRopCallerCheck="false" EnableRopSimExec="true" OverrideEnableRopSimExec="false" AuditEnableRopSimExec="false"></Payload> <SEHOP Enable="true" TelemetryOnly="false" OverrideSEHOP="false"></SEHOP> <Heap TerminateOnError="true" OverrideHeap="false"></Heap> <ChildProcess DisallowChildProcessCreation="true" OverrideChildProcess="false" Audit="false"></ChildProcess> </AppConfig> <AppConfig Executable="7zFM.exe"> <DEP Enable="true" EmulateAtlThunks="false" OverrideDEP="false"></DEP> <ASLR Enable="true" ForceRelocateImages="false" OverrideForceRelocateImages="false" BottomUp="true" HighEntropy="true" OverrideBottomUp="false"></ASLR> <StrictHandle Enable="true" OverrideStrictHandle="false"></StrictHandle> <ExtensionPoints DisableExtensionPoints="true" OverrideExtensionPoint="false"></ExtensionPoints> <ControlFlowGuard Enable="true" SuppressExports="false" OverrideCFG="false"></ControlFlowGuard> <Fonts DisableNonSystemFonts="true" AuditOnly="false" OverrideFontDisable="false" Audit="false"></Fonts> <ImageLoad BlockRemoteImageLoads="true" OverrideBlockRemoteImageLoads="false" BlockLowLabelImageLoads="true" OverrideBlockLowLabel="false" AuditRemoteImageLoads="false" AuditLowLabelImageLoads="false"></ImageLoad> <Payload EnableExportAddressFilter="true" OverrideExportAddressFilter="false" AuditEnableExportAddressFilter="false" EnableExportAddressFilterPlus="true" OverrideExportAddressFilterPlus="false" AuditEnableExportAddressFilterPlus="false" EnableImportAddressFilter="true" OverrideImportAddressFilter="false" AuditEnableImportAddressFilter="false" EnableRopStackPivot="true" OverrideEnableRopStackPivot="false" AuditEnableRopStackPivot="false" EnableRopCallerCheck="true" OverrideEnableRopCallerCheck="false" AuditEnableRopCallerCheck="false" EnableRopSimExec="true" OverrideEnableRopSimExec="false" AuditEnableRopSimExec="false"></Payload> <SEHOP Enable="true" TelemetryOnly="false" OverrideSEHOP="false"></SEHOP> <Heap TerminateOnError="true" OverrideHeap="false"></Heap> <ChildProcess DisallowChildProcessCreation="true" OverrideChildProcess="false" Audit="false"></ChildProcess> </AppConfig> <AppConfig Executable="7zG.exe"> <DEP Enable="true" EmulateAtlThunks="false" OverrideDEP="false"></DEP> <ASLR Enable="true" ForceRelocateImages="false" OverrideForceRelocateImages="false" BottomUp="true" HighEntropy="true" OverrideBottomUp="false"></ASLR> <StrictHandle Enable="true" OverrideStrictHandle="false"></StrictHandle> <ExtensionPoints DisableExtensionPoints="true" OverrideExtensionPoint="false"></ExtensionPoints> <ControlFlowGuard Enable="true" SuppressExports="false" OverrideCFG="false"></ControlFlowGuard> <Fonts DisableNonSystemFonts="true" AuditOnly="false" OverrideFontDisable="false" Audit="false"></Fonts> <ImageLoad BlockRemoteImageLoads="true" OverrideBlockRemoteImageLoads="false" BlockLowLabelImageLoads="true" OverrideBlockLowLabel="false" AuditRemoteImageLoads="false" AuditLowLabelImageLoads="false"></ImageLoad> <Payload EnableExportAddressFilter="true" OverrideExportAddressFilter="false" AuditEnableExportAddressFilter="false" EnableExportAddressFilterPlus="true" OverrideExportAddressFilterPlus="false" AuditEnableExportAddressFilterPlus="false" EnableImportAddressFilter="true" OverrideImportAddressFilter="false" AuditEnableImportAddressFilter="false" EnableRopStackPivot="true" OverrideEnableRopStackPivot="false" AuditEnableRopStackPivot="false" EnableRopCallerCheck="true" OverrideEnableRopCallerCheck="false" AuditEnableRopCallerCheck="false" EnableRopSimExec="true" OverrideEnableRopSimExec="false" AuditEnableRopSimExec="false"></Payload> <SEHOP Enable="true" TelemetryOnly="false" OverrideSEHOP="false"></SEHOP> <Heap TerminateOnError="true" OverrideHeap="false"></Heap> <ChildProcess DisallowChildProcessCreation="true" OverrideChildProcess="false" Audit="false"></ChildProcess> </AppConfig> </root> Note that I do have Child Process Policy mitigation enabled as well which will ensure that none of those 7-Zip binaries create child processes. This could be beneficial with self extracting type of 7-Zip malware, potentially. But Child Process mitigation can be disabled if it is problematic during regular usage. One mitigation that I found particularly problematic with 7-Zip is ASLR's Disallow Stripped Images.
question: for programs like malwearebytes that use a 7zip library, do we need to update this library? I don t use 7zip But some programs lire malwearebytes have its library
I asked for Malwarebytes and they release in the first week of February a new version of MBam 3 with the 7z.dll without the vulnerabilities. I have a question, I use WinRar and I see that there is a file called 7zxa.dll version 16.2.0 it needs to be replace whith the new 18.1 or can be have problems WinRar in his execution after this change? Edit in the 7zip folder there isn't a 7zxa.dll so it can't be changed for the WinRar
Third-party programs which are using the 7-Zip library and were released prior the release of 7-Zip 18.00/18.01 can be considered vulnerable. New releases of affected programs (PeaZip, etc.) are needed.
For the 7zxa.dll that is in WinRar it was also update at version 18.1 it can be found in the package called 7z1801-extra.7z
Haven't checked yet but I wonder if Debian is going to automatically update 7z in their repositories? I have it and use it alot for simple little files. More like privacy stuff then security. Edit: I went and checked and I only see older versions for debian. I realize 7 Zip 18.01 was only released on 1-28-18, so I am hoping that Debian quickly offers the latest and greatest! My 7Z vaults are pretty small and I only have 10 or so to redo when I get my hands on 18.01. Its only been a few days.
Just a quick note. Debian did send out 7 zip updates a couple of days ago. Apt-get grabs them as needed.
from the Bandizip forum and the developer: Bandizip does not use 7zip(or p7zip) to extract rar or zip(shrink) formats. So, I believe Bandizip does not have these problems. If he/she release POC samples of this problem, I will check it again.
I don't know if the vulnerabilities can be used with Malwarebytes but when there was on 2016 a vulnerability in 7zip library it was necessary to change the 7zip.dll that is in the program
Partitioning softwares often have 7zip. I would assume you can just paste the new file into their folder.
MWB probably uses it to unpack 7zip files to be able to scan them. So if a 7zip file is dropped on the PC and it is scanned by realtime protection(not sure if it scans packed files, or scanned when executed), a malicious 7zip file can exploit the vulnerability and potentially have system rights because MWB has system rights.
This folder is not available on newer versions. Btw.: Bandizip has been updated to v6.12 today. But ok, you are using XP and must use 5.x FYI: v5.20 (for XP) is available
Seems like Peazip (6.5.1 on Windows) is now updated: http://www.peazip.org/changelog.html 2018 02 18 6.5.1 BACKEND (Windows) 7z 18.01 to fix CVE-2017-17969 and CVE-2018-5996 vulnerabilities in the 17.x backend
