Call for termination of LZH format use for termination of development of UNLHA32.DLL of domestic compressed format 'LZH'

In the old days, software that could be compressed by ZIP was widely paid, so the domestic-use compression format “LZH” that can be used free of charge was the de facto standard state of file distribution. However, due to security reasons, UNLHA32. Development of DLL , UNARJ32.DLL and LHMelt has been discontinued. Although bug fixes will continue, there are no plans to release 64-bit and low-level API additions.

In addition, ' Let's stop using the LZH library (especially in groups and companies) ', and the use of the LZH form has been called out.

The details of what happened and what happened like this are below.

Notice
http://www2.nsknet.or.jp/~micco/notes/ann.htm ( InternetArchive )

The following 'Warning' is posted on the official site of Micco , a developer such as UNLHA32.DLL.

Many antivirus software systems can not quarantine LZH archives with specially crafted headers. (Only confirmed on March 16 for the latest version as of April 2010.) On the other hand, not a few archivers can handle such archives normally because they are correct in the specification. .

Therefore, in the environment where the countermeasure software is not installed on the client, such as when the countermeasure method is adopted by the quarantine in the gateway type, it can be invaded and infected with almost no trouble. Even if it is installed on the client, although it can be quarantined when it is expanded, it is not quarantined if it does not create files such as previews.

Unfortunately, each countermeasure software vendor has not responded to such a situation, and the fact that the situation is disclosed as vulnerability information (even though it is performed for archives such as ZIP, CAB, 7z) I can not expect the past and the future.

For these reasons, we do not recommend the use of LZH archives especially in companies and groups. Above all, if you are quarantined only with the above gateway format, please reject the LZH archive itself.

In a word, what it means is that if LZH compression is used, it is possible to perform malicious work, and although measures are taken on anti-virus software side in ZIP format and CAB format etc, in LZH format why The situation continues that each anti-virus software company and these security related organizations do not take measures, and since it is dangerous if it remains as it is, the LZH format itself is used in places where companies etc. are aware of security. It means that you should cancel it.

It is the following pages of author official site that mentions development stop etc.

'LHA vulnerability' (5) and UNLHA32.DLL, etc., discontinued ...
http://www2.nsknet.or.jp/~micco/incidents/2010/inci1006.htm#i20100602 ( InternetArchive )

About ' LZH library header processing vulnerability (2010 version) ' (MHVI # 20100425), I reported it to JVN in late April, but the reply has finally arrived today. The result was 'Not acceptable.' 'Even almost the same material, it could be interpreted as vulnerability information in ZIP and 7z archives and not in LZH and ARJ archives'. The situation does not seem to change with three and a half years ago.

With this, it can be judged that ' Vendor, JVN / IPA, etc. will not change from the attitude of' I know the LZH library ... ', so discontinue the development of UNLHA32.DLL, UNARJ32.DLL, LHMelt. I decided to It is unwillingness to use a library that can be left alone even if a vulnerability exists for business purposes.

So, although we do only the current bug fix, there is no 64-bit edition or low-level API addition edition. Furthermore, you will be notified if you become unwilling and bugfixes get in your way. It has not reached a complete stop yet.

Perhaps you won't be able to respond unless you encounter a net incident or a major incident over the sea, so don't use the LZH archives (especially in groups or companies). Well, even if it is a ZIP library, it will be more than 3 years after going overseas, so it may be about 10 years after the LZH library has been going overseas.

Jun.4, 2010 Postscript

'The attitude of' LZH library I know ~ ~ I'm interpreted 'is that for the vendor' after three years after the explanation, etc. has not been addressed by a pear casket, 'JVN / IPA' ' We have not answered any questions, such as ZIP, CAB, 7z archives, and similar cases that have been disclosed as vulnerability information (the problem is that quarantine is not performed by anti-virus software etc .: JVNVU # 545953 ) It was because of the circumstances such as. If the reason for the rejection is the same as 3 and a half years ago (the reason that 'It is not a vulnerability but a problem of software function / performance'), the difference is only a difference in the library JVNVU # 545953 It is logically broken to publish. On the other hand, if there is a different reason, you should be able to explain it, and if you can not do that, it will only be the reason 'It's a LZH archive'.

Yomoya, it is not a cold case such as “ CVE-C-2010 ( CVE-2010-0098 ) will be disclosed but domestic information will not be accepted” ... “I don't think so”. If it is so, it is zero.

As something has become stupid, I will also report on the continuation of the investigation (or the creation of proof data) for the 2 or 3 software vulnerabilities (that can be attacked) that are currently under investigation. I also stopped. After self-defense, I will expect that someone will give me a story someday or another.

The word “ JVN ” that appears frequently in the text is “ The vulnerability that aims to contribute to information security measures by providing information related to vulnerabilities such as software used in Japan and its countermeasure information. In the same way, the information processing promotion mechanism that appears frequently in the text, or ' IPA ' for short.

Certainly, LZH format is not supported as standard as ZIP format as Windows XP or later (an additional function that can handle not only ZIP format but also LZH format as compressed folder has been provided from April 2005). Also, for those who only know Windows 7 can extract LZH without additional installation and Windows after XP, it may be like 'LZH? What is it? Why is it not ZIP?' Many of the files compressed in LZH format are still distributed in ' Windows no Uta ' and ' Vector ', which are well-known as software distribution sites in Japan. It is not a good level of penetration.

On the contrary, there are many software that is famous as compression / decompression software based on its software name, and it assumes 'LZH format', and with Windows 杜 recording software, it bears the name of ' LHA ' that compresses and archives LZH format. There are still a lot of For example, ' Lhasa ', ' Explzh ', ' Lhaplus ', ' LhaForge ' and ' + Lhaca '.

It becomes nostalgic, but in the old days LZH format often had better compression ratio than ZIP format, and in the era of 'large capacity 2GB HDD!' As the speed of the tele-hodai was at its heyday, the speed was several kilobytes per second, so still there was a time when the 'LZH format' was useful to reduce the file size even a little and end the communication as soon as possible. It is a feeling that I can not say that the end of one era, or the end of one era, will be witnessed of extinction in such a way.