![](\"https:\/\/images.techhive.com\/images\/article\/2016\/03\/thinkstockphotos-497863290-100648027-primary.idge.jpg\"\/)
<\/p>\n
Credit to Author: Woody Leonhard| Date: Tue, 30 Jan 2018 05:17:00 -0800<\/strong><\/p>\n Late last year, landave, a self-described \u201cComputer Science student enjoying cryptography, reverse engineering, and other information security topics,\u201d discovered two <\/span>startling security holes<\/span><\/a> in 7-Zip, a free zip program I\u2019ve <\/span>recommended for years<\/span><\/a>. <\/span><\/p>\n Bottom line: If you haven\u2019t updated 7-Zip in the past few days, get off your tail and do it now.<\/span><\/p>\n The bugs are subtle and, as best as I can tell, have never been leveraged in the wild. But that\u2019s going to change as landave\u2019s analysis reaches the mainstream.<\/span><\/p>\n Details of the bugs have to do with 7-Zip memory corruption, made worse by not running ASLR and DEP, and a heap buffer overflow in the shrink routine. Landave applied for, and received, a <\/span>MITRE number<\/span><\/a> for the latter, CVE-2017-17969.<\/span><\/p>\n There\u2019s been <\/span>a lot of back and forth<\/span><\/a> about the bugs, but the upshot is that 7-Zip\u2019s creator, Igor Pavlov, released a new version of 7-Zip, version 18.01, on Jan. 28. That’s the version you need.<\/span><\/p>\n If you use 7-Zip, you can see which version you\u2019re running by starting 7-Zip and clicking on Help > About 7-Zip. If you have a version prior to 18.01, get the new one. Now.<\/span><\/p>\n Updating 7-Zip couldn\u2019t be simpler.<\/span><\/p>\n Step 1.<\/strong> Go to the official <\/span>7-Zip page<\/span><\/a> and click the link to download either the 32-bit or 64-bit version. <\/span><\/p>\n Step 2.<\/strong> Right-click on the 7z1801-x64.exe file, and choose Run as administrator. If you get a \u201cWindows protected your PC\u201d message from SmartScreen, mutter an appropriate epithet, click the link for “More information,” then click “Run anyway.”<\/span><\/p>\n Step 3.<\/strong> Click yes on the User Account Control prompt, choose a destination folder, let the installer run, and reboot your computer.<\/span><\/p>\n 7-Zip has a lot of good features. Don\u2019t let it bite you.<\/span><\/p>\n Thx to <\/span>G\u00fcnter Born<\/span><\/a><\/p>\n (P.S. Not sure where landave goes to school, but he just published a PhD-worthy dissertation.)<\/span><\/p>\n Join us for one-year birthday libations on the <\/span><\/i>AskWoody Lounge<\/span><\/i><\/a>.<\/span><\/i><\/p>\n http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Credit to Author: Woody Leonhard| Date: Tue, 30 Jan 2018 05:17:00 -0800<\/strong><\/p>\n Late last year, landave, a self-described \u201cComputer Science student enjoying cryptography, reverse engineering, and other information security topics,\u201d discovered two <\/span>startling security holes<\/span><\/a> in 7-Zip, a free zip program I\u2019ve <\/span>recommended for years<\/span><\/a>. <\/span><\/p>\n<\/p>\n