[therealmarv]

My guess: Because 7zip is not a good auto update software (does it even warn if there is a new version?) this security bug is HUGE!

Just give you an example: Many Germans think that http://www.7-zip.de/ is the official site and you still download 16.04 there.

[Tomte]

Well, it says „official website“. If it isn‘t the author should send a C&D, this is really unfair.

[y4mi]

Yeah, there is no question about it. This website clearly says that it's the legit source for 7zip. There is even a red box on the right side of the page. This needs to be taken down if this is not an official source.

The left side has a navigation to different translations of the page. All but the English version link to the German page as well.

I'm guessing it was once part of the build pipeline but has since been abandoned.

So yeah, it is an official source. It's just outdated

[dragontamer]

Or you know, the author of 7-zip could pay for a digital certificate and sign the executable. Fake websites and "Trojans" are a known problem, with a known solution.

Unfortunately, 7-zip barely has any security involved. No digital signatures, no ASLR, no NX bit, no stack canaries, no nothing.

Hopefully these security concerns wake up Ivor. Its not the 90s anymore: developers have to participate to get a proper security posture. That's why Windows tried so hard to get everyone to use sandboxed Win10 Apps / Metro Sandbox by default, because these problems require the developers to care about security.

[simon04]

> So yeah, it is an official source. It's just outdated

`whois 7-zip.de` resolves to a private person in Germany. This does not look official to me. More like a crowdsourced effort of providing translated websites with a dangerous effect in case of security vulnerabilities.

The versions provided are (as of 2018-05-04T10:20:00Z): en 18.05, de 16.04, zh 16.04/18.05, eo 18.01, fr 18.01, ja 18.05, pt 18.01, es 18.01, th 18.05, vi 18.01

[superflyguy]

I just checked and I was on v9 from 8 years ago on my work pc. Why bother fixing security bugs etc if you're not going to roll them out? With other Windows software I get told about updates when I load them (winscp, Virtualbox) or they check and update themselves (Firefox).

[MereInterest]

Because there are multiple conflicting priorities here. On the one hand, it is good to keep software updated, and therefore software should check for updates. On the other hand, software should restrict itself to solving one problem domain. Interacting with the internet is something wholly distinct from decompressing files, and so the software should not branch off into a new domain. Choosing between these priorities is not necessarily straightforward.

I could also argue that automatic updates are themselves a security hole. They are a way for new code to be downloaded and run, without notifying the user. As a result, it means that your security depends on the security of a machine not under your control. Not too much of a risk for Firefox, but imagine having a program that auto-updated from SourceForge during its experimental fling as a malware distributor.

[EvilTerran]

A real-life example of the risk of automatic updates: about a decade ago, the maintainers of the Shareaza multi-protocol p2p client lost control of their domain, and the new owners of the domain pushed their own (sleazy, commercial) software to unsuspecting Shareaza users via its update mechanism.

(IIRC the maintainers learned the right lesson from that, and started signing their updates so it can't happen again)

[mschwaig]

Windows is special here because Microsoft never properly solved the distribution problem for software.

If you want the typical user on Windows to run updated software, your software has to at least entice updating if not auto-update straight away.

Not solving this whole distribution mess is by far the worst downside of Windows as a platform. Not getting malware when installing software on your Windows PC is hard.

[superflyguy]

Assuming I agree with you, what's the reason for not telling me about updates when I run the app? What's the advantage of the decision they've taken which is to not announce this?

[MereInterest]

Because even determining that there is an update available requires checking against an outside source to see if an update is available. This requires internet access, which requires handling network protocols, network security and encryption, none of which have anything to do with file compression. Increasing the scope of a project introduces additional failure modes, and a larger security risk.

If a project already performs telemetry, or if they have developer announcements, then the project has already increased its scope, and checking for updates is a relatively minor addition. If it is a well-behaved stand-alone application that doesn't make unwarranted external connections, then checking for updates is a large increase of scope.

[e12e]

Old thread, but I'd like to point at http://scoop.sh [1] which provides a command line package manager for Windows - and allows easy update of packages.

Chocolatey is similar in some ways, but scoop works hard to isolate installed apps from each others, and from other users (which can be good and bad). It's a little like an apt-like wrapper for binary-only (x)stow.

[1] scoop is hosted on github - the download url is on proper ssl, the bare scoop.sh domain presents a github-cert.

[nsuser3]

> Because 7zip is not a good auto update software

Updates should be handled by the OS anyway IMO

[mr_toad]

Can’t see that happening on Windows soon, if ever.

[iknowstuff]

The Microsoft Store correctly auto-updates apps from the store.