LZH Compression Algorithm to conclude development due to vulnerability

(This article was originally posted in Japanese at 10:24 June 07, 2010.)

The name LZH recalls the early days of networking, when we were so keen on choosing compression algorithms. It's one of the oldest but relatively powerful and free to use. It was de-facto standard back then.

But due to vulnerabilities found in the format, author of UNLHA32.DLL decided to drop further development of the format.

Read on for detail.

The announcement was made on author Micco's site. He's the author of UNLHA32.DLL, one of the major LZH codecs.

Micco mentions that vulnerabilities are fixable. But it takes some time and needs security softwares to watch over vulnerabilities until update.

But Japanese security organization JVN and IPA has rejected his report on security matters, and security software developer kept on ignoring the bug on falsified LZH file, which they never did on other formats.

So he announced the discontinuation in dismay and posted a warning about further using of LZH format.


Most of anti-virus softwares can't detect viruses embedded in LZH files with falsified header. And most archivers are capable to uncompress them, just as specified.

So if your system is quarantining file at the system's gateway with anti-virus software and not at client machines, the virus can penetrate into the system undetected until the file is uncompressed.

Security software vendor gave warnings on vulnerabilities on ZIP, CAB, 7z and other formats. But no action has been made for LZH to date. And I assume it will not be made in the future.

So I couldn't recommend the use of LZH algorithm, especially in businesses and institutions. Not only quarantining on files, I strongly recommend to deny LZH files themselves.

Since LZH format is one of the most used algorithm, security company should be more tuned to the vulnerabilities. But strangely they aren't. Author writes on his blog about this like following;
(JP)Vulnerabilities on LZH and UNLHA32.DLL discontinuation...

I reported LZH's vulnerability to Japan Vulnerability Notes in late April but the reception was refused. They accepted nearly identical reports on ZIP and 7z, but they didn't on minor formats like LZH or ARJ or somthing. Nothing has changed for 3 yeras.

All I got was that they(JVN and IPA) are no longer interested in LZH algorhithms. I don't want vulnerabilities to be ingnored and keep on being used so I decided to discontinue development of UNLHA32.DLL, UNARJ32.DLL and LHMelt.

I'm not completely done yet, so I will fix bugs on the software for now, but there will be no 64bit versions or API version. If I lose my drive to even fix bugs, I will inform you then.

I can see the security companies and official agencies taking action if and when something very serious ocurs concerning LZH and make the headlines overseas. But till the day, you should stop using LZH, especially on business. Even ZIP vulnerability took more than 3 years to become a news. Maybe 10 years for LZHs.

It's true that the share of LZH is decreasing and now ZIP has become de-facto standard. But this won't be a reason for security companies and organizations not accepting security reports. There are bunch of LZH files and compression softwares still out there in the Internet, and we need an accurate information for them. If public organization refuse to accept the report on them, how could we get accurate information?

Related Post:
WPA encryption broken completely: Japanese Academic Researcher implemented falsification attack - GIGAZINE

IgCodec - the Free and Fast Made In Japan Lossless Video Codec - GIGAZINE

Clean up Pre-Installed Rubbish with free “PC Decrapifier” software - GIGAZINE

“Pandemic”: The simulator of explosive virus infection - GIGAZINE


in Software, Posted by darkhorse_log