Menu

#1649 Zone Identifiers of unzipped files.

open
Igor Pavlov
None
5
2019-05-28
2016-03-23
donnie B.
No

Hello,
when i get a .zip-file from the internet it ist (NTFS) marked as UNTRUSTED, but when i unzip the files inside, they aren't(!!) marked as UNTRUSTED.

(when i try with the Windwos 7 onboard unzipper, the unzipped files stay untrusted. maybe in time of locky and teslacrypt this could be important.)

Discussion

  • donnie B.

    donnie B. - 2016-03-30

    For example, when I get an file by Outlook or Thunderbird they mark it as untrusted, but .zip Tools doesnt, so if an "trusting" user opens a foreign (marked as untrusted) .zip the Files are directly marked as trusted an maybee he can get infected...

     
    Thumbnail
    Unbenannt.PNG

  • Igor Pavlov

    Igor Pavlov - 2016-03-30

    The overhead for that property (additional Zone Identifier stream for each file) is not good in some cases.

     

  • donnie B.

    donnie B. - 2016-03-30

    Maybe, but it would be additional security.. but ok, i dont want to start a big discussion, it was just a suggestion, because it could lever this security Feature. So its youre Choise to do it or dont. :-D
    For myself it is not a Problem more for unexperienced users..

    Kindly Regards and Thanks for all the work here. ;-)

     

  • Eric Lawrence

    Eric Lawrence - 2016-04-04

    FWIW, coincidentally I mentioned this limitation here: https://textplain.wordpress.com/2016/04/04/downloads-and-the-mark-of-the-web/

     

    • Igor Pavlov

      Igor Pavlov - 2016-04-05

      Actually 7-Zip creates Zone.Identifier, if you open file in artchive via temp fiolder. For example, you open file via temp folder for Explorer's zip.
      So if you do same thing for 7-Zip, it creates Zone.Identifier also. So you should check it before writing that article.

       

  • donnie B.

    donnie B. - 2016-04-05

    I dont know what you mean with Temp-Folders. When I unzip with Windows Explorer the unzipped file is "untrusted", when i unzip with 7 zip/peazip/bandyzip... it is trusted...

    What Eric posts is right.. but the ID=4 is not undocumented..
    https://blogs.msdn.microsoft.com/oldnewthing/20131104-00/?p=2753

     

    Last edit: donnie B. 2016-04-05

    • Igor Pavlov

      Igor Pavlov - 2016-04-05

      Open archive in 7-zip and open file inside archive with double-click.

       

    • Eric Lawrence

      Eric Lawrence - 2016-04-05

      In 7-Zip v9.2, double-clicking on an exe in a .7z does not mark the temp-extracted file with a MotW. In v15.14 temp-extracted files are tagged, even though normally-extracted files are not. I've mentioned that in the post.

      As explained in the post, ZoneID=n is documented. What is not documented is the SmartScreen-created value AppZoneId=4, which means something entirely different.

       

      • Igor Pavlov

        Igor Pavlov - 2016-04-06

        In your article, you write:
        Despite being one of the worst ZIP clients available, Windows Explorer gets this right. And then there is screenshot when you open file with double-click in explorer. Then you write in next paragraph: In contrast, 7-zip does not". That is wrong claim. Why you don't show screenshot for double-click in 7-zip, if you use double-click screenshot for explorer?

         

        Last edit: Igor Pavlov 2016-04-06

  • Joseph N. Musser II

    Joseph N. Musser II - 2016-04-05

    While I agree strongly that extracting files should not invisibly discard this security warning, it would be a major annoyance to end up with an entire tree of extracted files, each of which must be unblocked.

    I'd much rather have 7-zip give the warning up front before extracting so I can make the decision then. The warning is not invisible, and we don't end up with thousands of irritating alternate data streams.

     

  • Rafael Rivera

    Rafael Rivera - 2018-01-24

    Still a bug in latest 18.00 beta. No ASLR, no buffer security checks, old linker, no mark-of-the-web, no https page, no signed binaries -- it's clear security isn't a priority to you. It's frustrating because it overshadows all your amazing work. Hope you change your mind!

     

    Last edit: Rafael Rivera 2018-01-24

  • vssv

    vssv - 2018-02-05

    @Rafael Rivera - thank you for raising the 7z RAR bugs.

    I think people need to hold Igor accountable regarding the below. There is no excuse to not use modern compiler and OS compile/runtime compat protetction features , it's as simple as that. 'size' is a very poor excuse at that . and it's really time to update the build toolchain.

    I have discussed this issue with Igor Pavlov and tried to convince him to enable all three flags. However, he refused to enable /DYNAMICBASE because he prefers to ship the binaries without relocation table to achieve a minimal binary size. Moreover, he doesn’t want to enable /GS, because it could affect the runtime as well as the binary size. At least he will try to enable /NXCOMPAT for the next release. Apparently, it is currently not enabled because 7-Zip is linked with an obsolete linker that doesn’t support the flag.

    Same goes for signing the releases .... it's 2018

     

    Last edit: vssv 2018-02-05

  • vssv

    vssv - 2018-02-05

    one more thing

    2018-01-10 - Patched version 7-Zip 18.00 (beta) released
    what about 16.04 stable . sounds like it's affected

    edit: ok i clearly haven't peeked at 7z release notes or home site recently. it looks like 18.01 is not beta http://www.7-zip.org/

     

    Last edit: vssv 2018-02-05

  • Vander

    Vander - 2019-05-28

    Hi,
    Still the same issue with the latest v19.0. This is a security problem as we use attachment manager to protect our workstations against download of exec files from Internet.
    Other unzippers haven't this problem. Why is this bug not yet fixed ?
    Thanks

     

Log in to post a comment.