Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

If graphics hackers are so smart, why can't they get the bugs out of fresh paint?

computers / alt.comp.os.windows-10 / Alarming 7-Zip Security Flaw Exposes Your PC To Hackers Giving Full Admin Rights

SubjectAuthor
* Alarming 7-Zip Security Flaw Exposes Your PC To Hackers Giving FullMr. Man-wai Chang
`* Re: Alarming 7-Zip Security Flaw Exposes Your PC To Hackers Giving Full Admin RiStan Brown
 `- Re: Alarming 7-Zip Security Flaw Exposes Your PC To Hackers Giving Full Admin RiMayayana

1
Alarming 7-Zip Security Flaw Exposes Your PC To Hackers Giving Full Admin Rights

<t45vhu$ju5$1@toylet.eternal-september.org>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=61910&group=alt.comp.os.windows-10#61910

  copy link   Newsgroups: alt.comp.freeware alt.comp.os.windows-10 "windows>>alt.comp.os.windows-11"
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!toylet.eternal-september.org!.POSTED!not-for-mail
From: toylet.t...@gmail.com (Mr. Man-wai Chang)
Newsgroups: alt.comp.freeware,alt.comp.os.windows-10,"windows>>alt.comp.os.windows-11"
Subject: Alarming 7-Zip Security Flaw Exposes Your PC To Hackers Giving Full
Admin Rights
Date: Mon, 25 Apr 2022 19:09:34 +0800
Organization: A noiseless patient Spider
Lines: 22
Message-ID: <t45vhu$ju5$1@toylet.eternal-september.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Mon, 25 Apr 2022 11:09:50 -0000 (UTC)
Injection-Info: toylet.eternal-september.org; posting-host="dd7409752ae2b6e47396822658eacc6a";
logging-data="20421"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19rL+CQaPS1E39hFkhcLD+Z"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
Thunderbird/91.8.1
Cancel-Lock: sha1:OOKBdqqCXinOJvqfiXrzsvfo7jM=
Content-Language: en-US
 by: Mr. Man-wai Chang - Mon, 25 Apr 2022 11:09 UTC

Alarming 7-Zip Security Flaw Exposes Your PC To Hackers Giving Full
Admin Rights
<https://hothardware.com/news/7-zip-security-flaw-grants-full-admin-rights>

.....

When utilizing 7-Zip's help menu, it executes the hh.exe, which can
still run and use ActiveX objects. If you attempt to drag a .7z
extension file to that window that appears, after malware or an attacker
has run their piece to unlock the nasty potential of elevated access, it
can potentially open up a command prompt with elevated administrator
access. This is displayed in the video made by Kağan Çapar, a security
researcher from Turkey.

Kağan does state in his GitHub, which outlines the vulnerability, that
he will not publish the details of the exploit until after the issue is
patched by the 7-Zip developers. No action has been taken yet,
unfortunately. He does, however, go on to say that the bug report has
been issued to 7-Zip developers, and that its CVE-2022-29072 designation
has been submitted to security reporting web sites.

.....

Re: Alarming 7-Zip Security Flaw Exposes Your PC To Hackers Giving Full Admin Rights

<MPG.3da8b76257a49e0b98ffc7@news.individual.net>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=66319&group=alt.comp.os.windows-10#66319

  copy link   Newsgroups: alt.comp.os.windows-10
Path: i2pn2.org!i2pn.org!aioe.org!news.uzoreto.com!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: the_stan...@fastmail.fm (Stan Brown)
Newsgroups: alt.comp.os.windows-10
Subject: Re: Alarming 7-Zip Security Flaw Exposes Your PC To Hackers Giving Full Admin Rights
Date: Thu, 6 Oct 2022 10:59:32 -0700
Organization: Oak Road Systems
Lines: 43
Message-ID: <MPG.3da8b76257a49e0b98ffc7@news.individual.net>
References: <t45vhu$ju5$1@toylet.eternal-september.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Trace: individual.net 5eL0SbY2g+GjRgIxg+4j7wCrsdgb2c3Y7kwG7iZ0q4WVtVin/h
Cancel-Lock: sha1:PZYfM4+89iZrXDxWyC7qiVHjfB4=
User-Agent: MicroPlanet-Gravity/3.0.11 (GRC)
 by: Stan Brown - Thu, 6 Oct 2022 17:59 UTC

On Mon, 25 Apr 2022 19:09:34 +0800, Mr. Man-wai Chang wrote:
>
> Alarming 7-Zip Security Flaw Exposes Your PC To Hackers Giving Full
> Admin Rights
> <https://hothardware.com/news/7-zip-security-flaw-grants-full-admin-rights>
>
> When utilizing 7-Zip's help menu, it executes the hh.exe, which can
> still run and use ActiveX objects. If you attempt to drag a .7z
> extension file to that window that appears, after malware or an attacker
> has run their piece to unlock the nasty potential of elevated access, it
> can potentially open up a command prompt with elevated administrator
> access. This is displayed in the video made by Kagan Çapar, a security
> researcher from Turkey.
>
> Kagan does state in his GitHub, which outlines the vulnerability, that
> he will not publish the details of the exploit until after the issue is
> patched by the 7-Zip developers. No action has been taken yet,
> unfortunately. He does, however, go on to say that the bug report has
> been issued to 7-Zip developers, and that its CVE-2022-29072 designation
> has been submitted to security reporting web sites.

I saved this in April, intending to do something about it Real Soon
Now. It took me only six months to get around to downloading the
latest 7Zip version -- it's 22.01, dated July 2022. Then I went
looking for release notes, and found them in the forum(*), at

https://sourceforge.net/p/sevenzip/discussion/45797/thread/c43cbc5f18

A forum user asked, "Is the CVE problem with the help file fixed?
Or are you already working on a version that fixes this
vulnerability? So is there maybe already a timeframe when this CVE
problem will be fixed?"

The reply was "The CVE-2022-29072 is disputed and multiple security
researchers have declared it a hoax." There's more discussion, which
you can read at the above URL.

(*) BTW, more complete release notes are here:
https://7-zip.org/history.txt

--
Stan Brown, Tehachapi, California, USA https://BrownMath.com/
Shikata ga nai...

Re: Alarming 7-Zip Security Flaw Exposes Your PC To Hackers Giving Full Admin Rights

<thp4jh$3mgkm$1@dont-email.me>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=66339&group=alt.comp.os.windows-10#66339

  copy link   Newsgroups: alt.comp.os.windows-10
Path: i2pn2.org!i2pn.org!eternal-september.org!reader01.eternal-september.org!.POSTED!not-for-mail
From: mayay...@invalid.nospam (Mayayana)
Newsgroups: alt.comp.os.windows-10
Subject: Re: Alarming 7-Zip Security Flaw Exposes Your PC To Hackers Giving Full Admin Rights
Date: Fri, 7 Oct 2022 08:02:55 -0400
Organization: A noiseless patient Spider
Lines: 13
Message-ID: <thp4jh$3mgkm$1@dont-email.me>
References: <t45vhu$ju5$1@toylet.eternal-september.org> <MPG.3da8b76257a49e0b98ffc7@news.individual.net>
Injection-Date: Fri, 7 Oct 2022 12:04:01 -0000 (UTC)
Injection-Info: reader01.eternal-september.org; posting-host="c97c78acec04694c352d769067d9bc9f";
logging-data="3883670"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/yMsktsCnOtoGiHSmpf1S8G2cVyxk59io="
Cancel-Lock: sha1:wFAUE1M19ihNxb+kWNNw7Lw2whM=
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
X-MSMail-Priority: Normal
X-Priority: 3
X-Newsreader: Microsoft Outlook Express 6.00.2900.5512
 by: Mayayana - Fri, 7 Oct 2022 12:02 UTC

"Stan Brown" <the_stan_brown@fastmail.fm> wrote

| The reply was "The CVE-2022-29072 is disputed and multiple security
| researchers have declared it a hoax."

Indeed. It's not a webpage. They're saying, essentially,
that if you have executable software on your computer
with malware present, the malware may be able to exploit it.
With ninny warnings like that it's no surprise that tech
companies are getting away with selling locked down
devices.

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor