[paulfr]

I just did some testing and it's even worse than that: 7-zip completely ignores the file extension and snoops the file format based on the file contents only.

So simply opening a malicious ".zip" file on Windows could trigger the HFS+ vulnerability. Using 7-zip to open any file means you have a HUGE attack surface.

EDIT: One simple way to mitigate this issue would be to just throw a confirmation prompt if the file extension matches a known format but 7-zip is about to run a decoder for a different format.

[colejohnson66]

IIRC, 7-zip does tell you if the actual format is different. At least it does when I extract some DMGs; it tells me it's actually an HFS "file".

[paulfr]

Not on Windows, at least. The properties dialog can tell you it uses HFS+ if you ask for it, but it's too late because the HFS+ code has already been executed.

[colejohnson66]

I meant when right clicking the archive am choosing "Extract to..." or something using Explorer's context menu.

[paulfr]

Interesting, it does display a warning in this case! But it doesn't interrupt extraction so if it's a malicious file the code will still execute.