A researcher by the name of Kağan Çapar announced a few days ago that he had found a zero-day flaw in 7-Zip. A claim that is now disputed.
Several researchers have since reported finding no concrete evidence for the existence of the vulnerability, registered as CVE-2022-29072, which has since gone into ” disputed “.
A mysterious way to proceed
On April 15, researcher Kağan Çapar announced that he had found a vulnerability in the 7-Zip data compression software. In a video posted on his YouTube channel, he demonstrates the vulnerability. To do this, he goes to the Help > Content menu of 7-Zip and drags a file with a .7z extension into the open help window. He then shows that in this way he succeeded in obtaining a local elevation of privileges. According to him, the problem is in the software, due to misconfiguration of 7z.dll and heap overflow (heapoverflow).
Since the publication of the video and the associated explanation, several people have raised inconsistencies in the explanations of the researcher. The bug does not seem to have been reproduced since, and the researcher refuses to share his files publicly, because the flaw has not been corrected, and to answer the majority of questions. It is therefore complicated to understand exactly how it works. Tavis Ormandy, researcher at Google, indicated on Twitter and on hacker news having received a file from Kağan Çapar, but having found no evidence to corroborate the claims of the researcher.
Will Dormann, researcher at CERT/CC, decided to use humor to demonstrate that a YouTube video was far from being sufficient proof of the existence of a vulnerability.
Unwarranted panic?
As of this writing, CVE-2022-29072 is now designated as ” DISPUTED on Miter. So is it necessary to worry and uninstall 7-Zip? For the moment, everything seems to indicate not, even if caution remains in order. Besides the fact that the very existence of the vulnerability is in question, this kind of loopholes are rarely used against individuals.
Several sites offer to delete the 7-zip.chm file to correct the problem. However, since the possible vulnerability requires prior access to the victim’s computer, the damage will already be done. Waiting for more information, wait and seeas the saying goes.
To download
- Open-source and free
- The 7z format offering good compression performance
The interface is a little austere but in everyday use, we will generally limit ourselves to its integration into Windows Explorer (a right click on an archive to decompress it, a right click on a file or a directory to compress it). A software to discover without hesitation!
The interface is a little austere but in everyday use, we will generally limit ourselves to its integration into Windows Explorer (a right click on an archive to decompress it, a right click on a file or a directory to compress it). A software to discover without hesitation!
Sources: Kagan Capar, hacker news, Tom’s Hardware
0