7-Zip vulnarability

[MathiasM]

I read in this article on zdnet http://www.zdnet.com/article/severe-7-zip-vulnerabilities-cause-top-security-software-tools-patch-panic/

that there is a security vulnerability in the open source library 7-zip that could also effect Malwarebytes Anti-Malware cause it uses that library.

Can you provide any information about this ?

Mathias

[khanman]

This is exactly the reason that I signed up for access to this forum. We have a business license for about 50 users and this is very troubling.

[David H. Lipman]

Of course we'd have to have an authoritative response from an employee but, this is not troubling at all.

First you have to show that Malwarebytes products are actually using the vulnerable code.

Second you'd have to show an actual exploitation of said code.

It can only be troubling IFF there is a vulnerability that is actively being exploited that is not being fixed.  There is no evidence of that here.

Quite a number of applications have exhibited vulnerabilities.  Not all of them are exploited. 

When it comes to Malwarebytes they have taken responsibility and patched vulnerabilities that come to light.

 

 

Edited May 13, 2016 by David H. Lipman

[AdvancedSetup]

Please see the following post concerning this.

https://forums.malwarebytes.org/topic/183068-malwarebytes-anti-malware-and-the-7-zip-vulnerabilities/

 

[StuartKnapton]

The 7-zip dll that is installed alongside the latest version of Malwarebytes Anti-Malware (2.2.1.1043) is at the following path, on PCs I have checked

C:\Program Files (x86)\Malwarebytes Anti-Malware\7z.dll

According to the dll properties, this is version 9.20.0.0 (not v16.0, the latest patched dll)

There are posts on the 7-zip forums indicating that version 9.20 of 7-zip is still subject to at least one of the recently discovered vulnerabilities, CVE-2016-2335, though these posts have not yet been acknowledged by the author

https://sourceforge.net/p/sevenzip/discussion/45797/thread/a8fd6078/?page=1

I would appreciate it if you could please re-confirm that Malwarebytes Anti-Malware is not vulnerable to CVE-2016-2335?

[Firefox]

Hello and Welcome!

Please see this topic HERE for information to this matter...

[msherwood]

On 5/16/2016 at 3:50 PM, StuartKnapton said:

The 7-zip dll that is installed alongside the latest version of Malwarebytes Anti-Malware (2.2.1.1043) is at the following path, on PCs I have checked

C:\Program Files (x86)\Malwarebytes Anti-Malware\7z.dll

According to the dll properties, this is version 9.20.0.0 (not v16.0, the latest patched dll)

There are posts on the 7-zip forums indicating that version 9.20 of 7-zip is still subject to at least one of the recently discovered vulnerabilities, CVE-2016-2335, though these posts have not yet been acknowledged by the author

https://sourceforge.net/p/sevenzip/discussion/45797/thread/a8fd6078/?page=1

I would appreciate it if you could please re-confirm that Malwarebytes Anti-Malware is not vulnerable to CVE-2016-2335?

Hello. The 7-zip vulnerabilities reported center around functionality used to process UDF disk images and zlib formatted archives only. MBAM does not make use of this technology in 7-zip, so MBAM is not affected. Additionally, we’ll be including a patched library in a future build.

I also added this information to our main post.