[Solved] 7-Zip (Portable) - Version not detected

Tom · 10 Jul 2018, 08:36

@gregalexandre We will keep detecting these bundled applications, like 7-zip, Java, Flash and a lot of others. However, the default will be not to display these to users, since, under normal circumstances, the user will not (should not) use these.

If the app, e.g. Star Citizen, is vulnerable because of the vulnerable 7-Zip, then we will flag Star Citizen as vulnerable. That means that the right solution is to update Star Citizen, not the bundled 7-Zip.

However, advanced users who wants to know about this, can still find the insecure bundled apps. But we will not recommend anyone to "fix" this by themselves, since this may break the other app, nor will we automatically flag the "parent" app as vulnerable, unless there is credible reports indicating that the whole bundle is vulnerable.

OLLI_S · 7 Oct 2018, 08:51

The same problem occurs with the Flash Player.
I created the new topic Flash Player - Bundled Installation for that problem.

GregAlexandre · 15 Jul 2018, 20:23

@tom

It is clear that bundled applications shall never be updated outside parent application.
Most of bundling applications providers that lets unsafe bundling applications in their packages silently ignore user warnings.
(1) Pre-requisite software should not be treated as bundled applications even when installed in a parent tree application.

(1) some application install other applications as a pre-requisite if not installed (sometime not in the default directory tree). This is a bit different of having embedded applications even if at this end this is the same nightmare. I remember a financial application used by some big companies had for unique answered that they will stop support if we update a JRE version fully vulnerable and no more supported by oracle for years.

I do not know how have this reported and be compliant with responsible security vulnerability reporting. Have Vulndetect such a policy?

Hope this helps.

Tom · 16 Jul 2018, 09:31

@gregalexandre Well, as you say, there is a difference between bundling an app and between an external dependency.

In the case where e.g. Java is an external dependency, then we will detect it as a standalone app, and we will have no immediate way of treating it different (nor do I see why we should).

In these special cases it is up to the user / customer to find a proper way to deal with it.

For Java it is often possible to prevent Java from being active in the browser, that eliminates most vectors, but clearly, a proper assessment of this requires intimate knowledge of all apps on the system and how the system is used.

Once we get more users and these cases start popping up, then I hope it will be posted on this forum, so we all can learn more.

OLLI_S · 16 Jul 2018, 11:00

@GregAlexandre Is 7-Zip detected properly on your system(s)?
If yes, can I mark this issue as "Solved"?

OLLI_S · 3 Dec 2018, 21:45

The issue is quiet old, so I assume I can close it?
@Tom Can this issue be closed?

Tom · 4 Dec 2018, 10:21

@OLLI_S I believe this has been fixed for a while

OLLI_S · 4 Dec 2018, 21:01

OK, I mark the issue as solved!

GregAlexandre · 8 Dec 2018, 14:36

@OLLI_S : There were two issues:
1/ portable version not detected

2/ Unsecure bundled / required applications detected as unsafe and how to manage /report this stuff.

(1) is fixed.
(2) is still an issue. I have still curl embedded into Windows reported as unsafe and various 7-zip embedded into products reported now as safe after being updated by there mother products.

Regards.

OLLI_S · 8 Dec 2018, 15:43

The issue with bundled apps is a separate topic and affects many other apps (not only 7-Zip).
But this is under development.