[Solved] 7-Zip (Portable) - Version not detected

OLLI_S

7-Zip Portable is found on my system 2 times in the following folders:​

• D:\PortableApps\PortableApps\7-ZipPortable\App\7-Zip64\7z.exe (from PortableApps.com)​
• E:\StarCitizen\RSI Launcher\resources\app.asar.unpacked\node_modules\7zip\7zip-lite\7z.exe (bundled with the game Star Citizen)​

Errors:

• The installed version of both instances is not detected (the text – is shown)​

Notes:

• In the Windows 10 Settings the portable application 7-Zip​​ is not listed in the list of installed applications.​

OLLI_S

Today 7-Zip is found a 3rd time:

• D:\PortableApps\PortableApps\7-ZipPortable\App\7-Zip\7z.exe (from PortableApps.com)
  This folder is for the 32.Bit version (in my first posting it is for the 64-Bit version).

OLLI_S

7-Zip is now detected 6 times.
Here a complete list of all folders:

• New: C:\ProgramData\NVIDIA Corporation\Downloader\PostProcessing\GFE\4ccc741fdd0ba2ac5593e823bdde3d30\GFExperience\7z.exe
• New: C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\7z.exe
• New: C:\Users\All Users\NVIDIA Corporation\Downloader\PostProcessing\GFE\4ccc741fdd0ba2ac5593e823bdde3d30\GFExperience\7z.exe
• D:\PortableApps\PortableApps\7-ZipPortable\App\7-Zip\7z.exe
• D:\PortableApps\PortableApps\7-ZipPortable\App\7-Zip64\7z.exe
• E:\StarCitizen\RSI Launcher\resources\app.asar.unpacked\node_modules\7zip\7zip-lite\7z.exe

I searched all my local hard drives for 7z.exe but I also just found these 6 folders.

Tom

@OLLI_S Yes, we improved the detection of 7-Zip. The contextual rules, that will eliminate these cases where it is bundled is an upcoming feature. It will be implemented in a week or two.

OLLI_S

I know that you want to exclude the bundled occurrence of applications, so I reported it that you can adjust your rules.

OLLI_S

I had a look at the scan results and detected three issues.

---

Now I see only 4 installed instances of 7-Zip, the following folders are not shown anymore:

• D:\PortableApps\PortableApps\7-ZipPortable\App\7-Zip\7z.exe
• D:\PortableApps\PortableApps\7-ZipPortable\App\7-Zip64\7z.exe

Have you hidden them or is this a bug in your rules?
Because these are not bundled versions.

---

For the other 4 remaining folders VulnDetect offers me updates although these are bundled versions:

• C:\ProgramData\ NVIDIA Corporation \Downloader\PostProcessing\GFE\4ccc741fdd0ba2ac5593e823bdde3d30\GFExperience\7z.exe
• C:\Program Files\ NVIDIA Corporation \NVIDIA GeForce Experience\7z.exe
• C:\Users\All Users\ NVIDIA Corporation \Downloader\PostProcessing\GFE\4ccc741fdd0ba2ac5593e823bdde3d30\GFExperience\7z.exe
• E:\ StarCitizen \RSI Launcher\resources\app.asar.unpacked\node_modules\7zip\7zip-lite\7z.exe

I know that you want to exclude the bundled versions of 7-Zip the next weeks.
Just want to point out that this is important because the user must not update these instances (VulnDetect offers a download link)

---

The installed version can not be detected in the following folder (the text ? is shown):

• E:\StarCitizen\RSI Launcher\resources\app.asar.unpacked\node_modules\7zip\7zip-lite\7z.exe

---

This was the reason why I suggested the debug mode.
So I can see what is detected but hidden and what is missing.

Tom

@olli_s The one bundled with Star Citizen is because it is a beta version, so that should equate to the "?" with the current limitations.
About the PortableApps, that is rather peculiar as I just verified, the 32 bit version you have on your system is identical to the 32 bit on my systems and that is detected correctly.
The updates for Nvidia and other versions are still expected due to the current limitations with the rules.
Does it not offer an update for the one with Star Citizen?

OLLI_S

Yes, for 7-Zip in Star Citizen an update is offered.
This morning I saw only 4 instances of 7-Zip, now I see 6 instances.
So the only thig that is left here is that for 7-Zip bundled with other apps no updates should be offered.

GregAlexandre

NVIDIA GE Force downloader left at least 3 versions of 7z.exe: C:\ProgramData\NVIDIA Corporation\Downloader\latest\GFExperience\7z.exe
Same in Programmes files ans same in "Users\all users".
I have no idea of the exploitability index of this vulnerability (can be null) but thanks to vulndetect, this shows me that NVIDIA installer is one more time not clean.
Can we safely remove these unsafe 7z.exe versions? Is there a safe way to use (except removing GE Force Experience )?
Thanks and regards.
Greg.

OLLI_S

@gregalexandre said in 7-Zip (Portable) - Version not detected:

NVIDIA GE Force downloader left at least 3 versions of 7z.exe

I moved your topic to this topic here, because here I wrote at posting #6 that these bundled instances should be ignored because the user must not update these versions.
These updates must be delivered by NVIDIA.

On the other hand:
It might be useful to see that NVIDIA (and also Star Citizen) are delivering out-of-date and unsafe instances of 7-Zip.
Star Citizen delivers version 15.05 beta and the current version is 18.05
So it might be useful to know that there are possible vulnerabilities that the user can not fix.

GregAlexandre

@olli_s : I understand that you do not want embedded products to be be reported as unsafe even if they are.
But if the embedded is not safe this means that the embedding product is unsafe. So if the embedded product is not reported as unsafe the embedding product should be reported as unsafe even when no fix is available.

I quickly tested one of the 7z.exe in NVIDIA directories and it seems a fully usable 7z command line executable. So its vulnerabilities can be used by a malware.

@Tom : Will te embedding product reported as unsafe ?
Regards.

OLLI_S

@GregAlexandre I agree that the user needs to know that a bundled application is unsafe.
This way users can contact the company that delivers the unsafe product bundled with their product.
If for example 7-Zip bundled with Star Citizen is unsafe then uses should report this to the programmers of Star Citizen.

But there must be a clear visual indicator that the user must not update the unsafe product.
If users manually update 7-Zip in the Star Citizen folder this may cause other issues.

Tom

@gregalexandre We will keep detecting these bundled applications, like 7-zip, Java, Flash and a lot of others. However, the default will be not to display these to users, since, under normal circumstances, the user will not (should not) use these.

If the app, e.g. Star Citizen, is vulnerable because of the vulnerable 7-Zip, then we will flag Star Citizen as vulnerable. That means that the right solution is to update Star Citizen, not the bundled 7-Zip.

However, advanced users who wants to know about this, can still find the insecure bundled apps. But we will not recommend anyone to "fix" this by themselves, since this may break the other app, nor will we automatically flag the "parent" app as vulnerable, unless there is credible reports indicating that the whole bundle is vulnerable.

OLLI_S

The same problem occurs with the Flash Player.
I created the new topic Flash Player - Bundled Installation for that problem.

GregAlexandre

@tom

• It is clear that bundled applications shall never be updated outside parent application.

• Most of bundling applications providers that lets unsafe bundling applications in their packages silently ignore user warnings.

• (1) Pre-requisite software should not be treated as bundled applications even when installed in a parent tree application.

(1) some application install other applications as a pre-requisite if not installed (sometime not in the default directory tree). This is a bit different of having embedded applications even if at this end this is the same nightmare. I remember a financial application used by some big companies had for unique answered that they will stop support if we update a JRE version fully vulnerable and no more supported by oracle for years.

I do not know how have this reported and be compliant with responsible security vulnerability reporting. Have Vulndetect such a policy?

Hope this helps.

Tom

@gregalexandre Well, as you say, there is a difference between bundling an app and between an external dependency.

In the case where e.g. Java is an external dependency, then we will detect it as a standalone app, and we will have no immediate way of treating it different (nor do I see why we should).

In these special cases it is up to the user / customer to find a proper way to deal with it.

For Java it is often possible to prevent Java from being active in the browser, that eliminates most vectors, but clearly, a proper assessment of this requires intimate knowledge of all apps on the system and how the system is used.

Once we get more users and these cases start popping up, then I hope it will be posted on this forum, so we all can learn more.

OLLI_S

@GregAlexandre Is 7-Zip detected properly on your system(s)?
If yes, can I mark this issue as "Solved"?

OLLI_S

The issue is quiet old, so I assume I can close it?
@Tom Can this issue be closed?

Tom

@OLLI_S I believe this has been fixed for a while

OLLI_S

OK, I mark the issue as solved!