Slashdot Mirror
500 Million Users At Risk of Compromise Via Unpatched WinRAR Bug
An anonymous reader writes: A critical vulnerability has been found in the latest version of WinRAR, the popular file archiver and compressor utility for Windows, and can be exploited by remote attackers to compromise a machine on which the software is installed. "The issue is located in the 'Text and Icon' function of the 'Text to display in SFX window' module," Vulnerability Lab explained in a post on on the Full Disclosure mailing list. "Remote attackers are able to generate own compressed archives with malicious payloads to execute system specific codes for compromise."
I must admit some of these security exploits elude me a little, but I've read both of TFAs, and I guess my question is "what the heck is this SFX window and what's it for"?
Why the heck is an archiving program executing arbitrary code in the first place? That's crazy.
Lost at C:>. Found at C.
If you download and willingly execute an .exe you're already fucked.
So a self-extracting RAR can be rigged to exploit your machine. A self-extracting RAR is an executable. So a executable from an untrusted source can exploit your box. Wake me when you have a real vulnerability.
Oh, and samzenpus, that was the most clickbait bullshit Slashdot headline in months. You should be horsewhipped.
If it "affects only the latest version" as the article states, is it likely that 500 million people have the latest version- specifically- installed?
Can we finally admit WinRAR is terrible and annoying? Nobody cares about and extra few percent of zip style compression.
Not that compression itself is bad. But we don't need like 5 competing formats that essentially get us to the same place while causing users a bunch more clicks and forcing them to install some crappy nagware.
Go on, exorcise your shareware demons forever!
On the contrary; WinRAR sucks because it isn't open source. Instead, it's proprietary, spammy nag-ware.
7Zip, the actual open source competitor to WinRAR, is much better.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
So... you can use WinRAR to create an executable file that executes code?
I guess I'd better get cl.exe and gcc off my systems, too.
An executable file can do anything. So you can make an executable file with WinRAR that does something nefarious. Big fucking whoop. You can make a file that looks like a self-extracting archive and does something else with any old compiler.
And they're complaining about security flaws in closed-source, for-profit software.
I have both 7zip and winrar installed, and I gotta say I much prefer using winrar over 7zip. The UI is just a lot more elegant and intuitive, and the shell integration works better.
On the contrary; WinRAR sucks because it isn't open source
That's a bold statement because it goes either way. There are open source products that are better just because they are free and some are better because they simply are better. There are commercial products out there that outweigh open source products just because they have large teams with the right expertise and money to keep it going forward.
7Zip, the actual open source competitor to WinRAR, is much better
7Zip is better in many ways. Lightweight is the one major thing it has on WinRAR.
7Zip would have the same issues if it offered a self extracting option.
Well... Not to underestimate the finding, but frankly it's nothing new. Executables may carry malicious code, no matter how innocent they look.
To avoid running the executable, you can use WinRAR (or 7Zip etc) to open the SFX as if it were a regular archive.
This is a Windows-only issue. Nothing to see here, move along.
a WINRAR is you!
7zip isn't intuitive? How dumb do you have to be to type something like that.
If you can't figure out how to use 7zip, you shouldn't be using a computer.
In terms of features, WinRAR is far better (most notable with customizable fault tolerance / recovery options, PAR files, the SFX module, etc.).
In terms of compression performance, they're neck and neck. This has been true since the RAR5 format was released. A recent update to 7-Zip allowed for the opening of RAR5 archives, if you for some reason really hate WinRAR.
In terms of freeness, 7-Zip is better if you care. 7-Zip is open source and costs nothing, while WinRAR is closed source and costs nothing for personal use (it'll popup a registration screen once in a while but it still runs with all features enabled).
In terms of scripting up custom, complex compression tasks 7-Zip is far better.
I use 7-Zip, but I installed WinRAR when people started using RAR5 archives (before 7-Zip supported opening them). I was pleasantly surprised at how fucking good it was. I still use 7-Zip primarily, but that's just because I have it installed everywhere.
Must be for people who need to unrar the 7zip installation file
The SFX module is part of the UI. I wouldn't consider arbitrary code execution to be elegant.
7Zip would have the same issues if it offered a self extracting option.
7zip has self-extracting support.
7Zip has the option to build self extraction archives.
How is this a remote exploit? It seems you have to download the malicious file and run it.
millions more going hungry (mostly children), exploding, poorly attended to, marching in the streets for change,,, we imaginary semi-chosens get... even more fake bad news?
WinRAR totally sucks, why would 1/14 of the entire planet's population (not counting the billions of little brown kids without a computer) be using this software?
if you for some reason really hate WinRAR.
Or if you just don't feel like having a ton of programs installed just for proprietary formats. I haven't run into anything that 7-zip couldn't open, so why would I bother installing anything else?
... from before the 90's?
That's a bold statement because it goes either way. There are open source products that are better just because they are free and some are better because they simply are better. There are commercial products out there that outweigh open source products just because they have large teams with the right expertise and money to keep it going forward.
This is not really one of those cases though, archiving has become a commodity and the only reasons WinRAR has a huge following is that it is old (1995) from before Windows XP came with built-in ZIP support , it became the de facto archive format on Usenet and there's no open specification so competing tools can't create RAR files. It does absolutely nothing special that other tools don't do.
Live today, because you never know what tomorrow brings
that is our fault ? they should use condoms. no irony whatsoever. condoms work against hunger.
Came here to say this.
If you make .rar files, you're part of the problem.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Same here. I get blasted by people regularly for using WinRAR instead of 7-Zip, but I prefer it for the exact same reason you do. It's just more convenient to use. Hell, I even paid for it.
However, to avoid warring about it and for the sake of ease of file exchange, I only create ZIP files. For the same reason, I am thoroughly annoyed by people using the 7-Zip format for archives. The few extra bytes saved is not worth the annoyance, neither for RAR nor 7z files.
7Zip is better in many ways. Lightweight is the one major thing it has on WinRAR.
Some would claim that it isn't even the most major thing. The .7z format is documented, like the .zip format and notably unlike the .rar format, which all about about a dozen people are legally prohibited from understanding because of the UnRAR license.
You would install WinRAR because someone requires you to submit an archive in RAR format and nothing but WinRAR (or command-line products from the same company) can create archives in RAR format. But in practice, I don't expect this to come up very often outside the warez scene, whose release standards have traditionally required split RAR.
I know it's a crazy concept but if you actually PAY for it, you don't see any nag screens or ads or whathaveyou.
I think I paid $20 for it many years ago and it still does what I need it to do.
I also have both and like WinRAR more.
Open WinRAR
go to Help/About WinRAR...
click on the books
This is why it's better.
There is a 7zip unrar module. You can get it by:
apt-get install p7zip-rar
or similar. If you can't log in as root, you may need to prefix the command with sudo.
What "scene"? Do you mean the warez scene? I thought it was still using RAR files split into several dozen pieces.
7zip isn't intuitive? How dumb do you have to be to type something like that.
Surprisingly less dumb than somebody who responds to a remark that wasn't actually made.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
Do us a favour. Never write applications. Blaming the user is mistake number 1.
Chobits
Thanks to those who corrected me on the self extracting feature. I didn't know it was available.
Agreed, but his statement was broad and assuming open source automatically equals better which we both know is not true. In this case it may be but lets not make it a rule of thumb.
Up until August of 2015, 7-Zip could not open RAR5 archives (which were introduced introduced in August of 2013).
So while YOU may have not run into anything that 7-Zip couldn't open, there were 2 years where 7-Zip couldn't open newer RAR archives.
since 7-Zip was introduced? Funny.
Using a self extracting winRAR file as a vector to run code on Windows - is a vulnerability is Windows.
'Execution of poc.pl aborted due to compilation errors.'
I am thoroughly annoyed by people using the 7-Zip format for archives. The few extra bytes saved is not worth the annoyance, neither for RAR nor 7z files.
What annoyance?
The Daddy casts sleep on the Baby. The Baby resists!
@slashdime: "The SFX module is part of the UI. I wouldn't consider arbitrary code execution to be elegant."
Yea, it's designed as standard behaviour. There's a post extraction utility that'll run any valid script. But who in their right minds runs somefile.exe on their 'computer'. Oh, wait, no need to answer that one.
See samzenpus, it's not difficult to think up an accurate title :)
See subject: This is 1 time I'm GLAD I didn't upgrade! I.E.-> From the vulnerability report here http://seclists.org/fulldisclo... it appears that earlier models are NOT AFFECTED by this...
See, I personally consider to be the BEST archiver overall for years now - I haven't HAD a GOOD SOLID REASON to try others as I have license to it.
E.G.-> I used to consider WinZip that since it has a "perfect fit" for "Form fits function" in its GUI design (both do really for what they do).
However - WinRAR almost consistently does better in memory usage from tests I've seen & done myself, compressing the SAME datasets into it of many kinds, + WinRAR does more formats "natively" (minus having to "shell out" to an external program to do compression for a particular format).
WinRAR "took me away" from WinZip about, oh... 11 yrs. ago or more.
Any of you guys?
FEEL FREE to "Turn me on" to OTHER archivers & their value vs. what I just said, OR point me to tests that would "turn me away" from what I consider one of the BEST programs there is in the shareware/freeware realm.
APK
P.S.=> For once, an update would've turned into a "downdate" for me from this ware
New RAR files made with the RAR5 format. I doubt it was a requirement, WinRAR could likely still use RAR4. Also the vast majority of compressed files I've encountered are .zip.
Congratulations on winning the dumbass award.
"The UI is just a lot more elegant and intuitive" implies that 7zip's interface is not intuitive as compared to WinRAR.
I do write applications. I write them for people who aren't idiots. If people can't figure out how to use the applications I write, they are quickly fired for incompetence (not directly related to their inability to use my applications).
See subject & -> http://it.slashdot.org/comment...
* :)
(I'll take every bit I can in terms of that "few extra %" of compressability personally).
APK
P.S.=> I like WinRAR (5.20 user here, which is a safe model per the vulnerability report which only affects this NEWER one - so, I am GLAD I didn't upgrade for once) & consider it to be one of the FINEST sharewares ever constructed as well as one of the MOST useful almost daily... apk
"The UI is just a lot more elegant and intuitive" implies that 7zip's interface is not intuitive as compared to WinRAR."
Yes, that is the statement the OP made. You responded as if he had said:
7zip is unintuitive.
Which is a statement he did not make.
Congratulations on winning the dumbass award.
Mmm Hm.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
Apt-get should always be run as sudo. If you're logged is as root to install software, you are doing Linux wrong
See subject: This place USED to a lot cooler, circa say, 2005 when I first came around to about, oh... 2008 or so imo.
That's about when the "frist post/frosty" came around, the "mooo cow" (sexconker suprises me here, yes, from what I've seen it's him doing it when he forgot to submit ac doing those) we have now.
Then the "impersonating me" started, & of ALL people (which surprised me quite a bit since I liked a lot of his posts which informed me more on things political/international etc. - et al) Jeremiah Cornelius (former MS employee & now VMWare employee) was the one doing it.
So, trust me - you're NOT the only one putting up with it man...
Then came the freaks that nigh CONSTANTLY hassle, troll, & downmod all of my posts (which I just get around easily reposting, yes, unlimitedly as ac even here)!
See - I remember when we used to actually rationally DISCUSS the various merits/demerits of topics on computing - you gained a lot more insights or points-of-view + know-how then... since nobody "knows it all" in this field, or life.
Now? Well, you know - you said it better than I have, lol, love how you did actually!
(Plus, I don't think you & I have ever had a problem so, there you are...)
APK
P.S.=> Don't feel too bad man since like I said above - I get THAT kind of crap here nearly EVERY single day & every time I post...
However? Man - I LOVE SMASHING THEM INTO THE GROUND WITH FACTS vs. THEIR TROLLING CRAP!
(I know - sounds pretty bad, but after a while? You have to strike back OR sit there & get abused constantly instead - take your pick, ymmv!)... apk
Working with you must be a real pleasure.
You believe in the concept of a "real" name... How quaint. Sure there is such a thing as a legal name that you use on legal forms, and a lot of times people think that is your "real" name. But how real is it? Is it what your friends, family, acquaintances or coworkers call you? Probably not. I just put hackwrench into Bing and my slashdot page is on the first page of listings. My blog is in the first page of results in Google. That real enough for you?
If you are still using Windows global spyware...
http://portableapps.com/apps/utilities/peazip_portable
or...
http://www.peazip.org/peazip-portable.html
In Linux/BSD this isn't an issue. It just works.
I have both 7zip and winrar installed, and I gotta say I much prefer using winrar over 7zip. The UI is just a lot more elegant and intuitive, and the shell integration works better.
Me too. Winrar's interface is just better for me. It has tons of options for fine-tuning or customizing your work flow. I don't like change and they haven't really changed the interface much in a very long time. If it isn't broke, don't fix it.
The RAR file format itself seems to have more features, probably because the guy makes money off his software and can afford to devote more time to responding to customer suggestions and requests. Winrar is paying the bills, Mr. Roshal and his brother are highly motivated to keep their customers happy. I can easily imagine an open source developer ignoring the feature/bugfix requests of others to work on whatever they feel like.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
7z has better compression, is typically faster, multi-platform, and FREE. Why people use winrar over 7z, I can't understand.
And require a crack to get working properly? Why would anyone still use that crap. As everyone else has said, 7-zip has I thought, been standard for like 5 years, which is eternity in internet time... Do the slashdot editors still use winrar or something because they are stuck in the glory days of yore?
That, or they really are out of tune with the windows software scene.
-
You really ARE an idiot.
It's hard to take you seriously when all one has to do is scroll up.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
But they're not very tasty.
"So long and thanks for all the fish."
They only find out this now? OMG...
Now is a great time to upgrade to ZIPmagic: www.zipmagic.co/features.html We give away our file compression for 100% free. Yet the product is professionally, fully supported because our core business is disk compression, which is paid. Take a look at the features list I've linked above, and let me know if, even leaving the WinRAR exploit aside, you can think of a reason to not switch? In addition to being 100% free and 100% supported, ZIPmagic completely outclasses traditional archivers such as WinZip and WinRAR. You get tools that WinZip charges $60+ for free with ZIPmagic. And the disk compression angle is one you will not find in any competing archiver at all. It just does not exist on Windows outside of ZIPmagic. Last but not least, I'd be very surprised if a vulnerability of this sort was ever uncovered in ZIPmagic. ZIPmagic's file compression is plug-in extensible and currently has two plug-ins, one based on the excellent open source 7-Zip stack, and the other based on the WinZip proprietary ZIPX format for JPEG compression which even 7-Zip cannot do. ZIPmagic also integrates with Windows Explorer, mounting all archives as regular folders like Windows's ZIPfolders, but does it for all archive types (even RAR, 7-Zip, and ZIPX) - in addition to featuring completely stand-alone archive management applications.
7-Zip can be hard to use and install. ZIPmagic is 100% free for file compression, consumes the 7-Zip stack as well as supporting ZIPX for JPEG compression, and integrates with Windows Explorer for 100% transparent archive management (like ZIPfolders, but for 85+ archive types, including RAR and even the new RAR5 format). Things like drag/drop, copy/paste work seamlessly with ZIPmagic's archives-as-folders feature, transparently launching associated software and even updating the source archive when your changes are saved.
Actually, 7-zip offers SFX. BTW: I agree, open source isn't a "magic bullet" for a good software.
I have yet to find a newer copy of Winrar that is not packaged with malware.
Dowloaded from http://www.rarlab.com/ as of 10 minutes of this post.
File - WinRAR x64 (64 bit) 5.21
They keep updating their code every so many days to try to avoid detection. Once the AV guys catch up the malware list repopulates with bad stuff again from their program.
Most recent scan results:
Zillya!
Backdoor.DarkKomet.Win32.27531
Like most open source programs ported to Windows, the 7zip UI is crap.
you shut your whore mouth. winrar is a saint.
Premise, I no longer use WinRar as I switched mine and my friends' machines to open source alternatives like 7-Zip and PeaZip years ago.
I wonder why the titles (here and on other website) about n millions of Winrar *users* at risk: if I correctly understood the vulnerability description WinRar is not the target of a possible malicious use of the exploit, it is the vector that can be used to build an infected self extracting (exe) archive containing hidden commands where text and icon data should be, so the real risk is for anyone (not just WinRar users) as now there is an easy & handy tool (Winrar, until patched) that can be used to pack forged self extracting archives.
... closed source software is harder to inspect, design and coding flaws are more likely to pass undetected and stay for years. Err on the safe side and use Open Source replacements like 7-Zip, j7zip, p7zip, PeaZip...