Best daily deals
Best daily deals

Links on Android Authority may earn us a commission. Learn more.

Popular PC app 7-Zip has a major flaw on Windows (Updated: Disputed)

There are a couple of ways to mitigate the issue, though.
By
May 2, 2022
7zip website on phone edit
Hadlee Simons / Android Authority
TL;DR
  • A vulnerability has been discovered in the popular 7-Zip app for Windows.
  • This would allow a local user to gain higher-level access.
  • The flaw is now disputed, with one analyst even claiming it was a hoax.

Update: May 3, 2022 (3:40 AM ET): Questions have been raised over an apparent 7-Zip vulnerability disclosed last month. The vulnerability is now marked as disputed on the CVE Program website, which tracks and catalogs disclosed vulnerabilities.

“Multiple third parties have reported that no privilege escalation can occur,” read an excerpt of the updated listing. Vulnerability analyst Will Dormann went so far as to claim on Twitter that the apparent flaw was actually a hoax (h/t: Mishaal Rahman).

Original article: April 20, 2022 (9:08 AM ET): File archiving tools like WinZip and WinRAR have been around for decades now, allowing you to compress files to save storage space and unpack them when you need to access the files in question. But 7-Zip became one of the most popular file archiving tools in the years following its release owing to its support for a variety of zip formats.

Now, Turkish Github user kagancapar has uncovered a major vulnerability in the Windows version of 7-Zip (h/t: Tom’s Hardware). More specifically, the vulnerability enables unauthorized privilege escalation and command execution, meaning that someone with limited access to your PC could gain admin access and run a variety of commands and apps.

Attackers can take advantage of the flaw by dragging and dropping a disguised file with the 7-Zip (.7z) extension onto the Help > Contents area of the 7-Zip UI. This vulnerability takes advantage of the included help file in the file archiving tool. Check out a video demonstration of the vulnerability below.

Thankfully, it seems like this requires the attacker to have local access to your PC rather than enabling an attack over a network. But this is still a noteworthy flaw in a very popular PC app.

The Github user offered two apparent solutions to address this vulnerability pending an app update. The first method is to delete the 7-zip.chm file, while the second way to mitigate the vulnerability is to ensure that 7-Zip only has read and run permissions for all users of the PC. Still, I guess dealing with this issue beats paying for WinRar.