Page 1 of 1

vulnerability in UNACEV2.DLL

Posted: 22 Feb 2019, 03:52
by omega
There's a security vulnerability in UNACEV2.DLL library. The vulnerability makes it possible to create files in arbitrary folders inside or outside of destination folder when unpacking ACE archives. UNACEV2.DLL had not been updated since 2005 so it's best to drop ACE archive format support. It comes installed in the 32bit version of Salamander only.

Winrar has already dropped it https://www.rarlab.com/rarnew.htm

Re: vulnerability in UNACEV2.DLL

Posted: 25 Feb 2019, 08:55
by Petr Solin
We will also drop support for ACE archives. We will remove UnACE plugin. Thanks for info!

Re: vulnerability in UNACEV2.DLL

Posted: 27 Feb 2019, 16:01
by tajmone
Petr Solin wrote: 25 Feb 2019, 08:55 We will also drop support for ACE archives. We will remove UnACE plugin. Thanks for info!
When will this happen? AS hasn't been updated in over two years, but this being a security issue it should be addressed ASAP.

Even if there are no AS updates on the horizon (ie. features-wise) you should release security patches for the latest release.

Because AS is used as a replacement for Windows Explorer, it's used on all hard disk folders, including system folders, therefore any vulnerability might have serious repercussions on the filesystem and stored work.

I'm quite disappointed that there hasn't been any update for so long, and while I might indeed bare patient when it comes to waiting for Unicode support in AS, when it comes to security there isn't really any room for "being patient", as AS might expose the whole system to such vulnerabilities.

You should really make some clear statement to your users base, here on the forum, regarding whether AS is still an actively developed product or not. And if it is, then there are no excuses regarding your duty to release security patches as soon as vulnerabilities are discovered. If AS is no longer active, then just say so and its users can start looking for another product.

The current situation, where an upcoming update is often mentioned but never really seen, it's becoming unbearable — and, quite frankly, a rather unfair situation toward customers, especially for new customers who could be buying a license right now.

Saying that "you're working on updates" isn't really enough of a commitment — even if you are (as I believe you are indeed working on a new version that will support Unicode). The point I'm trying to make here is that AS' development strategy is something unheard of; you can't just set out to implement a next major version to introduce Unicode support and, in the meantime, freeze every type of update, including security patches!

You have a responsibility toward your users base in granting security from vulnerabilities. With AS being a file browser that even supports net protocols, and can access the registry, there aren't really any excuses that justify over two years without a single patch.

As a software developer, I just can't work my head around the fact that while you're working toward a major update you can't release patches for the current stable version. On which rationale should a major update development work justify leaving the latest stable release frozen?

This isn't a problem with the techinical difficulties you might be facing in integrating Unicode, DPI awareness or whatever features into the next AS versions, this is a problem with the overall philosophy PROTECH adopts toward their software products development and security issues. I am really quite surprised that something like this even needs to be mentioned on the forum of a product like AS, which is basically given access to the whole memory storage of a PC, or even an intranet network.

Are you really going to keep purchasing on the current line of development, where everything is frozen until Unicode in AS is finally ready?

I have the impression that the many posts on the forum that point out the current situation of stale development speak by themselves, and that the AS developers should seriously consider taking a clear stand in this respect, out of correctness toward their userbase. If you're unable to make a commitment with clear ETAs regarding features updates and patches, you'll eventually loose the trust of your customers and userbase. There is only so much patience you can expect from any product's userbase, especially from paying customers, and two years is quite a lengthy time when it comes to eroding trust, one day after the other awaiting for a product update that never seems to make it.

But security ... well, that's another story altogether; for once I start doubting that you, as a company, have taken seriously to heart the security of my PC and work, then there is nothing you could ever do to gain back that trust — no Unicode support update, no DPI awareness, nothing. If I trust your product and allow it to access and manage my hard disk and network files, I NEED to know that you take very seriously your commitment to protect me, my PC and my work from security and vulnerabilities issues.

Re: vulnerability in UNACEV2.DLL

Posted: 27 Feb 2019, 20:10
by therube
this being a security issue it should be addressed ASAP
Plugins | Plugins Manager -> UnACE -> Remove.

Delete/rename the directory, \Servant Salamander\plugins\unace\.

Re: vulnerability in UNACEV2.DLL

Posted: 27 Feb 2019, 21:03
by tajmone
therube wrote: 27 Feb 2019, 20:10
this being a security issue it should be addressed ASAP
Plugins | Plugins Manager -> UnACE -> Remove.

Delete/rename the directory, \Servant Salamander\plugins\unace\.
Thanks for the tip @therube, I appreciate it; but I was hoping that security issues would be addressed by automatic patches instead of having to daily check the forums and check if AS users discovered some vulnerabilities and then having to manually intervene on them. I'd feel better if the AS development team would ensure that AS is kept safe out of the box and via automatic updates.

I personally don't come and visits often the forum since AS is not getting updates anyhow.

Re: vulnerability in UNACEV2.DLL

Posted: 28 Feb 2019, 01:34
by omega
therube wrote: 27 Feb 2019, 20:10
this being a security issue it should be addressed ASAP
Plugins | Plugins Manager -> UnACE -> Remove.

Delete/rename the directory, \Servant Salamander\plugins\unace\.
Also look at Configuration screen -> Archivers Associations in Panels, External Archivers Locations, Packers & Unpackers in Dialog Box
Need to delete the Ace items manually. In the External Archivers Locations not possible to remove the Win32 Ace item.