SECURITY WARNINGS & Notices - Please post them here

[REDACTED]

What makes you think that avast uses 7zip ?

This:


@bob3160 - ""The security vulnerability has been fixed in 7-Zip 16.0 which has been released this month." - Ah yes, but has Avast installed the upgrade?

Gordon.

[Gopher John]

Avast staff will have to answer this question, regarding whether 7-zip libraries have been updated in Avast.

[DavidR]

What makes you think that avast uses 7zip ?

This:


@bob3160 - ""The security vulnerability has been fixed in 7-Zip 16.0 which has been released this month." - Ah yes, but has Avast installed the upgrade?

Gordon.

OK, now it's clear, but only when I viewed the code of your post as the image isn't being displayed, as the URL tag doesn't fetch the image, nor is it displaying the code. It's only seen if you look at the underlying code. Which I couldn't see, you would have to have downloaded it (if you could actually see the URL).

Code: [Select]

[img]https://www.dropbox.com/s/ah63ah4il50zwsv/AboutAvast.png?dl=1[/img]
It didn't need a quote of bob3160's post, you could have attached an image of your about.avast screen (which I have just done).

[abruptum]

I am using older version of MBAM (1.75) and I replaced 7z.dll in MBAM Program Files folder with 7z.dll from
7-Zip 16.0 Portable and everything is working fine.
I am not sure, but I think Avast uses 7-Zip only in installer.

[DavidR]

I am using older version of MBAM (1.75) and I replaced 7z.dll in MBAM Program Files folder with 7z.dll from
7-Zip 16.0 Portable and everything is working fine.
I am not sure, but I think Avast uses 7-Zip only in installer.

Whilst there is nothing definitive on what avast uses 7zip for, but it wouldn't be unreasonable to think it could be used for unpacking files that are going to be scanned.

[Dwarden]

Avast will need update the library, just like any other sane security software did ...

[Pondus]

Microsoft releases unofficial service pack for Windows 7
http://www.extremetech.com/computing/228779-microsoft-releases-unofficial-service-pack-for-windows-7

[bob3160]

Avast will need update the library, just like any other sane security software did ...

Avast isn't vulnerable. This should answer your question:
https://blog.avast.com/avast-software-updater-can-help-protect-you-from-security-loopholes-like-the-recent-7-zip-vulnerabilities

[polonus]

Most WordPress sites hacked through three vulnerable (outdated) plug-ins:  RevSlider- & GravityForms-plug-ins and the TimThumb-script. A quarter of all hacked WordPress sites had a vulnerable version of just these scripts. When pages are being hacked through outdated software, attackers will place a PHP-backdoor (66%). Why webmasters do not update and patch? 
Read about it here: https://sucuri.net/website-security/Reports/Sucuri-Website-Hacked-Report-2016Q1.pdf

polonus

[polonus]

FBI asks technology firms like Google etc. not to offer end2end encryption as by default (standard),
but only when users opt-in. Google did so with Google Allo, only icognito-mode comes with a stronger encryption.
Compliance to FBI-demands is better than later having to look for an excuse when backdoors in your software are being detected.
That is not making your software look too good, isn't it? No explanations to make is always better.
Read: https://twitter.com/csoghoian/status/733088078311489540
So encryption will not come as by default, turning the tecnologically unaware user into a potential FBI surveillance victim.
When we wanna protect ourselves we again have to fend for ourselves.

polonus

[Dwarden]

Avast will need update the library, just like any other sane security software did ...

Avast isn't vulnerable. This should answer your question:
https://blog.avast.com/avast-software-updater-can-help-protect-you-from-security-loopholes-like-the-recent-7-zip-vulnerabilities

so if I toss on avast specially crafted file with those exploits masked as 7zip format it shall not break ...
{crunch crunch}

[Asyn]

Magento 2.0.6 Security Update
https://magento.com/security/patches/magento-206-security-update

[REDACTED]

Avast will need update the library, just like any other sane security software did ...

Avast isn't vulnerable. This should answer your question:
https://blog.avast.com/avast-software-updater-can-help-protect-you-from-security-loopholes-like-the-recent-7-zip-vulnerabilities

so if I toss on avast specially crafted file with those exploits masked as 7zip format it shall not break ...
{crunch crunch}

Actually it probably will try.  First and most important: Avast is not compromised.  However, if Avast opens a v15 7z archive which contains a crafted file, then if the file contains the arbitrary code which the attacker wants executed, then that code will be executed as the result of the UDF vulnerability.  And you should then see (if the code has a sig or does things Avast doesn't like) Avast swing into action and throw the file in the Chest.  I doubt that Avast would be damaged, but OTOH, if the attacker is very very clever and is aiming at Avast...?

The important question here is "Has Avast updated its engine to replace any v15 7-Zip with v16 7-Zip?  And if not, when?"

Gordon.

[Asyn]

Did you read the blog post provided by Bob..!?

Avast is not affected by these vulnerabilities, but if you are a non-Avast user we recommend you update your antivirus software, if you haven’t done so already.

[bob3160]

Did you read the blog post provided by Bob..!?

Avast is not affected by these vulnerabilities, but if you are a non-Avast user we recommend you update your antivirus software, if you haven’t done so already.

Reading is important, Comprehension is paramount.