500 Million Users At Risk of Compromise Via Unpatched WinRAR Bug

An anonymous reader writes: A critical vulnerability has been found in the latest version of WinRAR, the popular file archiver and compressor utility for Windows, and can be exploited by remote attackers to compromise a machine on which the software is installed. "The issue is located in the 'Text and Icon' function of the 'Text to display in SFX window' module," Vulnerability Lab explained in a post on on the Full Disclosure mailing list. "Remote attackers are able to generate own compressed archives with malicious payloads to execute system specific codes for compromise."

*points at Winrar*

Hideki!

Re:*points at Winrar*

a WINRAR is you!

Re:*points at Winrar*

Chobits

WinRAR is for Luddites.

Modern app appers compress apps using APPS, not Luddite software like WinRAR!

Apps!

Huh?

[gstoddart]

I must admit some of these security exploits elude me a little, but I've read both of TFAs, and I guess my question is "what the heck is this SFX window and what's it for"?

Why the heck is an archiving program executing arbitrary code in the first place? That's crazy.

Re:Huh?

You open first link, and you view the youtube video which shows the entire process of creating the malicious self extracting rar archive .exe.

Technically the compressor/decompressor is okay, the SFX module however..

Re:Huh?

Someone's boss said, "Well, that's nice, but can you make it show the fireworks GIF and play the applause WAV like my PowerPoint presentation?"

Re:Huh?

[gstoddart]

You open first link, and you view the youtube video

No way, opening links and viewing youtube videos is how you get exploited in the first place ... and it's sinful and could lead to dancing.

Re:Huh?

You open first link, and you view the youtube video which shows the entire process of creating the malicious self extracting rar archive .exe.

If you're running untrusted .exe files, regardless of whether or not they're SFX RARs, you're gonna have a bad time. (I suppose one could try to verify that an arbitrary .exe is actually an SFX instead of a malicious executable before running it, but still... if you're going to go through the trouble of compromising a developer's build system, where said developer normally distributes software through SFX .EXE files and hiding your payload in the SFX .exe, that's an awful lot of work...

Re:Huh?

[sexconker]

SFX refers to the self-extractor piece.
It lets you compress a bunch o' shit, then package it as an executable file.
The executable contains the compressed shit, the decompression algorithm, and a short script about where to unpack shit to, what to title the SFX window, etc.

Run the executable and your 8 MB download turns into a 25 MB folder with shit in it.
People distribute self-extractors because you don't need to rely on them having WinRAR installed, don't need to rely on them knowing where to put the files, etc.

Re:Huh?

IIRC, the RAR compression format lets you include arbitrary code in the RAR file that gets executed by the RAR decompresser when you decompress the RAR file. This lets you do things like include your *own* decompresser that has been trained on the input data so that you can maximize your compression ratios.

I'm shocked that there haven't been *more* sploits for RAR announced over the years.

Re:Huh?

God damn you're stupid. You've never seen self-extracting archive? What the fuck are you doing on this website?

Re:Huh?

[gstoddart]

God damn you're stupid. You've never seen self-extracting archive? What the fuck are you doing on this website?

Wondering how you whiny little punks all survived to adulthood while believing people give a crap about your opinions.

Re:Huh?

[thechemic]

For years I have always renamed the archivefile.exe to archivefile.rar. This prevents it from running as an executable, and WinRAR opens it just fine. Trusting any archive file SFX is sinful indeed.

Re:Huh?

Why would you even create an SFX if you're going to use it as a RAR? I'm confused as to what use-case would imply this sequence of operations.

Re:Huh?

[Gary+Perkins]

Parent isn't creating the executables, he's downloading them from "untrusted sources" and doing the (admirably) paranoid thing by opening them with WinRAR rather than trusting the executable.

Re:Huh?

Ah, makes sense. Thanks for the info.

WinRAR

Sounds like one of those crappy open source projects. This doesn't surprise me one bit.

Re:WinRAR

[mrchaotica]

On the contrary; WinRAR sucks because it isn't open source. Instead, it's proprietary, spammy nag-ware.

7Zip, the actual open source competitor to WinRAR, is much better.

Re:WinRAR

[ArmoredDragon]

I have both 7zip and winrar installed, and I gotta say I much prefer using winrar over 7zip. The UI is just a lot more elegant and intuitive, and the shell integration works better.

Re:WinRAR

[Ravaldy]

On the contrary; WinRAR sucks because it isn't open source

That's a bold statement because it goes either way. There are open source products that are better just because they are free and some are better because they simply are better. There are commercial products out there that outweigh open source products just because they have large teams with the right expertise and money to keep it going forward.

7Zip, the actual open source competitor to WinRAR, is much better

7Zip is better in many ways. Lightweight is the one major thing it has on WinRAR.

7Zip would have the same issues if it offered a self extracting option.

Re:WinRAR

7zip isn't intuitive? How dumb do you have to be to type something like that.

If you can't figure out how to use 7zip, you shouldn't be using a computer.

Re:WinRAR

[sexconker]

In terms of features, WinRAR is far better (most notable with customizable fault tolerance / recovery options, PAR files, the SFX module, etc.).

In terms of compression performance, they're neck and neck. This has been true since the RAR5 format was released. A recent update to 7-Zip allowed for the opening of RAR5 archives, if you for some reason really hate WinRAR.

In terms of freeness, 7-Zip is better if you care. 7-Zip is open source and costs nothing, while WinRAR is closed source and costs nothing for personal use (it'll popup a registration screen once in a while but it still runs with all features enabled).

In terms of scripting up custom, complex compression tasks 7-Zip is far better.

I use 7-Zip, but I installed WinRAR when people started using RAR5 archives (before 7-Zip supported opening them). I was pleasantly surprised at how fucking good it was. I still use 7-Zip primarily, but that's just because I have it installed everywhere.

Re:WinRAR

[slashdime]

The SFX module is part of the UI. I wouldn't consider arbitrary code execution to be elegant.

Re:WinRAR

[xOneca]

7Zip would have the same issues if it offered a self extracting option.

7zip has self-extracting support.

Re:WinRAR

[dafradu]

7Zip has the option to build self extraction archives.

Re:WinRAR

[fredgiblet]

if you for some reason really hate WinRAR.

Or if you just don't feel like having a ton of programs installed just for proprietary formats. I haven't run into anything that 7-zip couldn't open, so why would I bother installing anything else?

Re:WinRAR

[Kjella]

That's a bold statement because it goes either way. There are open source products that are better just because they are free and some are better because they simply are better. There are commercial products out there that outweigh open source products just because they have large teams with the right expertise and money to keep it going forward.

This is not really one of those cases though, archiving has become a commodity and the only reasons WinRAR has a huge following is that it is old (1995) from before Windows XP came with built-in ZIP support , it became the de facto archive format on Usenet and there's no open specification so competing tools can't create RAR files. It does absolutely nothing special that other tools don't do.

Re:WinRAR

[GameboyRMH]

Came here to say this.

If you make .rar files, you're part of the problem.

Re:WinRAR

[SirJorgelOfBorgel]

Same here. I get blasted by people regularly for using WinRAR instead of 7-Zip, but I prefer it for the exact same reason you do. It's just more convenient to use. Hell, I even paid for it.

However, to avoid warring about it and for the sake of ease of file exchange, I only create ZIP files. For the same reason, I am thoroughly annoyed by people using the 7-Zip format for archives. The few extra bytes saved is not worth the annoyance, neither for RAR nor 7z files.

Re: WinRAR

I know it's a crazy concept but if you actually PAY for it, you don't see any nag screens or ads or whathaveyou.

I think I paid $20 for it many years ago and it still does what I need it to do.

Re:WinRAR

I also have both and like WinRAR more.

Open WinRAR
go to Help/About WinRAR...
click on the books
This is why it's better.

Re:WinRAR

... it became the de facto archive format on Usenet and there's no open specification so competing tools can't create RAR files. It does absolutely nothing special that other tools don't do.

There is a 7zip unrar module. You can get it by:

    apt-get install p7zip-rar

or similar. If you can't log in as root, you may need to prefix the command with sudo.

Re:WinRAR

[MobileTatsu-NJG]

7zip isn't intuitive? How dumb do you have to be to type something like that.

Surprisingly less dumb than somebody who responds to a remark that wasn't actually made.

Re:WinRAR

Do us a favour. Never write applications. Blaming the user is mistake number 1.

Re:WinRAR

[Ravaldy]

Thanks to those who corrected me on the self extracting feature. I didn't know it was available.

Re:WinRAR

[Ravaldy]

Agreed, but his statement was broad and assuming open source automatically equals better which we both know is not true. In this case it may be but lets not make it a rule of thumb.

Re:WinRAR

[sexconker]

Up until August of 2015, 7-Zip could not open RAR5 archives (which were introduced introduced in August of 2013).

So while YOU may have not run into anything that 7-Zip couldn't open, there were 2 years where 7-Zip couldn't open newer RAR archives.

Re:WinRAR

[chispito]

I am thoroughly annoyed by people using the 7-Zip format for archives. The few extra bytes saved is not worth the annoyance, neither for RAR nor 7z files.

What annoyance?

Re:WinRAR

[nickweller]

@slashdime: "The SFX module is part of the UI. I wouldn't consider arbitrary code execution to be elegant."

Yea, it's designed as standard behaviour. There's a post extraction utility that'll run any valid script. But who in their right minds runs somefile.exe on their 'computer'. Oh, wait, no need to answer that one.

Re:WinRAR

[fredgiblet]

New RAR files made with the RAR5 format. I doubt it was a requirement, WinRAR could likely still use RAR4. Also the vast majority of compressed files I've encountered are .zip.

Re:WinRAR

Congratulations on winning the dumbass award.

"The UI is just a lot more elegant and intuitive" implies that 7zip's interface is not intuitive as compared to WinRAR.

Re:WinRAR

I do write applications. I write them for people who aren't idiots. If people can't figure out how to use the applications I write, they are quickly fired for incompetence (not directly related to their inability to use my applications).

Re:WinRAR

[MobileTatsu-NJG]

"The UI is just a lot more elegant and intuitive" implies that 7zip's interface is not intuitive as compared to WinRAR."

Yes, that is the statement the OP made. You responded as if he had said:

7zip is unintuitive.

Which is a statement he did not make.

Congratulations on winning the dumbass award.

Mmm Hm.

Re: WinRAR

Apt-get should always be run as sudo. If you're logged is as root to install software, you are doing Linux wrong

Re: WinRAR

Working with you must be a real pleasure.

Re:WinRAR

[dj245]

I have both 7zip and winrar installed, and I gotta say I much prefer using winrar over 7zip. The UI is just a lot more elegant and intuitive, and the shell integration works better.

Me too. Winrar's interface is just better for me. It has tons of options for fine-tuning or customizing your work flow. I don't like change and they haven't really changed the interface much in a very long time. If it isn't broke, don't fix it.

The RAR file format itself seems to have more features, probably because the guy makes money off his software and can afford to devote more time to responding to customer suggestions and requests. Winrar is paying the bills, Mr. Roshal and his brother are highly motivated to keep their customers happy. I can easily imagine an open source developer ignoring the feature/bugfix requests of others to work on whatever they feel like.

Re:WinRAR

7z has better compression, is typically faster, multi-platform, and FREE. Why people use winrar over 7z, I can't understand.

Re:WinRAR

You really ARE an idiot.

Re:WinRAR

[MobileTatsu-NJG]

It's hard to take you seriously when all one has to do is scroll up.

Re:WinRAR

[zipmagic]

7-Zip can be hard to use and install. ZIPmagic is 100% free for file compression, consumes the 7-Zip stack as well as supporting ZIPX for JPEG compression, and integrates with Windows Explorer for 100% transparent archive management (like ZIPfolders, but for 85+ archive types, including RAR and even the new RAR5 format). Things like drag/drop, copy/paste work seamlessly with ZIPmagic's archives-as-folders feature, transparently launching associated software and even updating the source archive when your changes are saved.

Re:WinRAR

[squeeze69]

Actually, 7-zip offers SFX. BTW: I agree, open source isn't a "magic bullet" for a good software.

Re:WinRAR

Like most open source programs ported to Windows, the 7zip UI is crap.

Re:WinRAR

you shut your whore mouth. winrar is a saint.

BS

If you download and willingly execute an .exe you're already fucked.

Re:BS

Exactly the point made by the WinRAR developers:
http://www.rarlab.com/vuln_sfx_html.htm

Click-bait BS

[pegr]

So a self-extracting RAR can be rigged to exploit your machine. A self-extracting RAR is an executable. So a executable from an untrusted source can exploit your box. Wake me when you have a real vulnerability.

Oh, and samzenpus, that was the most clickbait bullshit Slashdot headline in months. You should be horsewhipped.

Re:Click-bait BS

[gstoddart]

Oh, I don't know ... it's a real vulnerability, dated Monday, and rated as a 9 (I assume out of 10) ... in terms of being an actual thing and showing up in a timely manner, I'm not sure I'd call it clickbait.

Now, anything Nerval's Lobster posts which links to Dice? That I'd call clickbait.

Re:Click-bait BS

7zip can do a normal extract of a self-extracting archive. I think that does not "run" the self-extract program, only the already installed 7zip binary.

Re:Click-bait BS

It won't show up in a AV scan as malicious code (not yet anyway), you can now intercept and modify legit Winrar self extracting executables over unsecured channels and modify them.

Old joe next door doesn't know how to check a file hash, maybe doesn't even know or want to know how you can extract that SFX file without running the executable.

Another tool in the toolbox.

Re:Click-bait BS

I see.
So,, if your logged in then your comments will be modded to some degree..
But, if your anon, regardless lf the validity of the premise you are promoting, you get shit on..

case in point,
ther was an article a couple of days ago touting Apple's new CPU..
some individual voiced his opinion, and how it was formed based on actions commited in the past,
All of which were validated within the thread by various other professionals in the industry. Yet, the individual gets a mod point of -1 which removes him from a significant ammount of display..
So now, we have a poster, posting the obvious and various other colorful metaphores, which may or may not be for public consumption depending on the individual reading it. But yet a modpoint of 5??

so I have to ask, whom is copulating whom??
and should we really be having this conversation?

Overlords please pull your heads out of your Glutenous areas, for your lack of semblance is faulted.
On as the paradigm turns,
Is this really what they are looking for?
De-funk, devalue, and definite. Making the company a better package deal for those waiting for the value to drop?
or has it just come about that there is really no concern for the community at large?
"just pay me and im out"
If that rely is the case, then I must ask
"what do foolish, shortsighted, an uninformed individuals look like??"
I'm not going to answer that here, as it would seem foolish..
But all those whom suffer from this issue I am sure could figure it out.
If three are individuals whom are not understanding my statement above then pls let me know I would be more than happy to further elaborate..

Moving past all of that,, No I havent read the article as I m very busy,, but does this issue affect any other archival applications?

Now, that would be something to "chew" on..

Wait for it, Wait for it, wait for it

(-1 flamebait)

Re: Click-bait BS

Yeah, cuz AVs don't know how to extract... What are you doing in 2015 with this 90's "can't do that" BS?

Re:Click-bait BS

You could already do that. Injecting malicious code into a legitimate executable is a well known tactic. This is literally "executable runs executable code" GASP!

Re:Click-bait BS

[sexconker]

So can WinRAR - you just extract the archive instead of running the executable.
See http://www.rarlab.com/vuln_sfx...

Re: Click-bait BS

Don't listen to the logged-in cowards that demand you log in or they will troll you. They will still troll you. It's not like their stupid log in nerd name is their real name anyways.

Re:Click-bait BS

[tlhIngan]

So a self-extracting RAR can be rigged to exploit your machine. A self-extracting RAR is an executable. So a executable from an untrusted source can exploit your box. Wake me when you have a real vulnerability.

Actually, the problem is NOT the executable. The SFX part is NOT compromised at all. It's completely legitimate standard WinRAR SFX.

However, the bug is that there's a buffer overflow in the SFX program - you can give it a malicious HTML file that cause it to execute code.

The deal is that all a malicious user has to do is inject their file into a RAR archive and set a flag to have the SFX program show it as part of the SFX process. The SFX stub will check clean by all anti-virus because it's the same SFX stub as what WinRAR ships with.

It's entirely possible that you cannot detect this - if the archive is password protected, for example, so you can't detect the bad HTML file at all. And the SFX will still check clean, but really infect your PC.

The only workaround is to use WinRAR itself to open the SFX

Re:Click-bait BS

The "remote attackers" part is clickbait at least. You have to download the RAR file and execute it directly. It's not a "remote attack" in the common sense used for security vulnerabilities.

Re:Click-bait BS

[avandesande]

+1 First person to actually RTFA

Re:Click-bait BS

No, just because it's an executable does not mean it gets a free pass from scrutiny. It's unintended behavior from a program caused by a malicious payload. That's a security vulnerability, that needs to be patched.

Oh, it came from teh interwebz? SO WHAT!? If every software developer had your attitude, no-one would be able to use the net period (much less software they themselves did not create) because the response to every single security bug would be: "Oh well you ran untrusted code / opened untrusted data, it's your problem dumbass."

I seriously hope you are not currently a manager in software development, because if you are I would consider any program made under your watch to be less safe than malware.

Re:Click-bait BS

[BradleyUffner]

However, the bug is that there's a buffer overflow in the SFX program - you can give it a malicious HTML file that cause it to execute code.

So what you are saying is that an EXE file can execute code?

Re:Click-bait BS

[klui]

I always tack on a .rar to any SFX so I could disable auto extract. I'm still using 3.93.

Re:Click-bait BS

[Barlo_Mung_42]

It sounds like the system will be protected if you're running as standard user instead of admin since it won't be able to elevate. Correct?

Re:Click-bait BS

[Gunstick]

it was a so real vulnerability that the winRAR author set it into a WONTFIX. And he's right.

Re:Click-bait BS

[zipmagic]

Or, you switch to a tool that does everything better in the first place, and is 100% FREE on top: http://www.zipmagic.co/feature...

500 million?

If it "affects only the latest version" as the article states, is it likely that 500 million people have the latest version- specifically- installed?

Re:500 million?

[ArmoredDragon]

I was surprised to learn that Winrar had that many users, considering it's a paid application. I'm one of those weirdos who did pay for it (they gave me a special for $15) even though I do indeed pirate a lot of stuff.

Re:500 million?

[fraxinus-tree]

It is, well, optionally paid application. It nags you to pay if you open the main window, but it is mostly used as a shell extension (well, at least I use it that way). I decided to pay after years of hassle-free use.

Re:500 million?

[fredgiblet]

It's free for personal use and there's people out there that haven't heard of 7-zip.

Re:500 million?

[kav2k]

> It's free for personal use
[citation needed]

Re:500 million?

Go to their website, you'll see. It's a nag-ware version though.

Re:500 million?

[Barlo_Mung_42]

Relax man. You don't have to pretend to pirate "lots of stuff" just to fit in here. I almost always buy things that I like and find useful.

Can we finally admit WinRAR is terrible?

Can we finally admit WinRAR is terrible and annoying? Nobody cares about and extra few percent of zip style compression.

Not that compression itself is bad. But we don't need like 5 competing formats that essentially get us to the same place while causing users a bunch more clicks and forcing them to install some crappy nagware.

Re:Can we finally admit WinRAR is terrible?

we are very pleased with 7-zip. the 7z format is very well compressed, and if you are not sure if the receiving party has 7-zip, then 7-zip can crate win-zip compatible archives, that are a bit smaller than what win-zip crates.

Re:Can we finally admit WinRAR is terrible?

[SQLGuru]

I don't even bother with 7z format because modern OSs support ZIP out of the box. I only install 7-zip for slightly better interface than the one built in to the OS, but I know that anyone I send the file to can read the file.

Re:Can we finally admit WinRAR is terrible?

[Lendrick]

I have 7zip installed because it can extract RAR files and it isn't WinRAR.

Re:Can we finally admit WinRAR is terrible?

And I only use 7z, because space matters when uploading log files (and whatnot) as attachments to bug reports. 7z compresses much better than other formats I've tried -- I don't care about winRAR, because as the name implies, it can only compress on Windows machines.

Even if you prefer the ZIP format, use 7z do create the ZIP archive because 7z's ZIP compressor is still better than the competition's ZIP compressor.

Re:Can we finally admit WinRAR is terrible?

How do you add a password to the one in the OS?

Re:Can we finally admit WinRAR is terrible?

>Nobody cares about and extra few percent of zip style compression.
You don't care. Other people do. Sometimes the compression is considerably better than zip.
It also has better encryption than zip. 7-zip is even better.
I'll keep using it thank you very much.

Re:Can we finally admit WinRAR is terrible?

[kbonin]

I've seen issues across several production environments where several .zip tools would miss files in very large archive sets, moving to .7z fixed these issues.

Re:Can we finally admit WinRAR is terrible?

Update me when bloody Windows supports spanning or AES encrypted zip files. Pisses me off no end as we continually end up with fallout from users who assume Windows' zip support is good enough.

Re:Can we finally admit WinRAR is terrible?

[driblio]

File -> Add password...

As I recall. HTH

tr0lL

Contaminated while long term survival are incompatible 'Yes' to any And the striking With process and it was fun. If PI'm For a moment and to the original else up their aases

Wait...

There are still people out there who use WinRAR? WHY?!
It's just an annoyance after 30 days and 7zip is better at compressing, not to mention it's actually free.

Most of the scene has moved on to 7zip

Go on, exorcise your shareware demons forever!

... what?

[thevirtualcat]

So... you can use WinRAR to create an executable file that executes code?

I guess I'd better get cl.exe and gcc off my systems, too.

Re:... what?

But wait,
Windows Executes Code, should i get rid of that too?
No wait, wait,,
My bios executes code as well, should I get rid of that?

Looking at it far reaching
Fundamentally my Hard drive executes code, should i get rid of that?

Since my wireless delivers me executable code to which I can execute should i get rid of that as well?
but wait, wut about linux, unix, BeOS, etc? They all execute code as well, should they be removed?

flawed circular logic is wonderful..

Re:... what?

[KGIII]

> implying that there's code for BeOS

I think you're probably safe with that.

Ridiculous bullshit

An executable file can do anything. So you can make an executable file with WinRAR that does something nefarious. Big fucking whoop. You can make a file that looks like a self-extracting archive and does something else with any old compiler.

TIL: People still use WinRAR instead of 7zip...

And they're complaining about security flaws in closed-source, for-profit software.

Nothing new here

[christose]

Well... Not to underestimate the finding, but frankly it's nothing new. Executables may carry malicious code, no matter how innocent they look.

To avoid running the executable, you can use WinRAR (or 7Zip etc) to open the SFX as if it were a regular archive.

Windows Only.

This is a Windows-only issue. Nothing to see here, move along.

People still use winrar?

Must be for people who need to unrar the 7zip installation file

remote?

[bmorency]

How is this a remote exploit? It seems you have to download the malicious file and run it.

Re:remote?

[pegr]

"remote" as in, unlikely to affect users smart enough to avoid running untrusted binaries.

1000s dying daily from starvation, deception....

millions more going hungry (mostly children), exploding, poorly attended to, marching in the streets for change,,, we imaginary semi-chosens get... even more fake bad news?

No way that many users

WinRAR totally sucks, why would 1/14 of the entire planet's population (not counting the billions of little brown kids without a computer) be using this software?

So it's like shar attacks all over again...

... from before the 90's?

Re: 1000s dying daily from starvation, deception..

that is our fault ? they should use condoms. no irony whatsoever. condoms work against hunger.

Legally prohibited from understanding RAR

[tepples]

7Zip is better in many ways. Lightweight is the one major thing it has on WinRAR.

Some would claim that it isn't even the most major thing. The .7z format is documented, like the .zip format and notably unlike the .rar format, which all about about a dozen people are legally prohibited from understanding because of the UnRAR license.

Making a scene release requires RAR

[tepples]

You would install WinRAR because someone requires you to submit an archive in RAR format and nothing but WinRAR (or command-line products from the same company) can create archives in RAR format. But in practice, I don't expect this to come up very often outside the warez scene, whose release standards have traditionally required split RAR.

Re:Making a scene release requires RAR

[fredgiblet]

Yeah, that's not something normal people need. They require a fair amount of specialized software actually since their standards are pretty static from what I've seen.

Re:Making a scene release requires RAR

You know maybe it's about time the 'scene' updates their fucking standards.

Re:Making a scene release requires RAR

[CronoCloud]

Maybe the "scene" should join the 21st century. As archaic as their rules are, you'd think they're running Win9x on P233's and installing WS_FTP, PKUNZIP and Trumpet WINSOCK on them.

Maybe it's a russian pirate thing... RAR's programmer is Russian. So maybe all those Eastern European/Russian pirates in the warez scene are simply favoring "one of their own" rather than use the "generic industry standards" like tarballs and zip archives favored in the West.

Also when I first heard of RAR, using it instead of ZIP, was trumpeted as some kind of sign of "leetness"

Sharewarez demons

[tepples]

What "scene"? Do you mean the warez scene? I thought it was still using RAR files split into several dozen pieces.

Does anyone actually use WinRAR

since 7-Zip was introduced? Funny.

Critical vulnerability found in WinRAR?

[nickweller]

Using a self extracting winRAR file as a vector to run code on Windows - is a vulnerability is Windows.

'Execution of poc.pl aborted due to compilation errors.'

500 million users at risk via unpatched Window bug

[nickweller]

See samzenpus, it's not difficult to think up an accurate title :)

Glad I use 5.20 then... apk

See subject: This is 1 time I'm GLAD I didn't upgrade! I.E.-> From the vulnerability report here http://seclists.org/fulldisclo... it appears that earlier models are NOT AFFECTED by this...

See, I personally consider to be the BEST archiver overall for years now - I haven't HAD a GOOD SOLID REASON to try others as I have license to it.

E.G.-> I used to consider WinZip that since it has a "perfect fit" for "Form fits function" in its GUI design (both do really for what they do).

However - WinRAR almost consistently does better in memory usage from tests I've seen & done myself, compressing the SAME datasets into it of many kinds, + WinRAR does more formats "natively" (minus having to "shell out" to an external program to do compression for a particular format).

WinRAR "took me away" from WinZip about, oh... 11 yrs. ago or more.

Any of you guys?

FEEL FREE to "Turn me on" to OTHER archivers & their value vs. what I just said, OR point me to tests that would "turn me away" from what I consider one of the BEST programs there is in the shareware/freeware realm.

APK

P.S.=> For once, an update would've turned into a "downdate" for me from this ware

That "few extra %"'s why I chose it

See subject & -> http://it.slashdot.org/comment...

* :)

(I'll take every bit I can in terms of that "few extra %" of compressability personally).

APK

P.S.=> I like WinRAR (5.20 user here, which is a safe model per the vulnerability report which only affects this NEWER one - so, I am GLAD I didn't upgrade for once) & consider it to be one of the FINEST sharewares ever constructed as well as one of the MOST useful almost daily... apk

Agreed man... apk

See subject: This place USED to a lot cooler, circa say, 2005 when I first came around to about, oh... 2008 or so imo.

That's about when the "frist post/frosty" came around, the "mooo cow" (sexconker suprises me here, yes, from what I've seen it's him doing it when he forgot to submit ac doing those) we have now.

Then the "impersonating me" started, & of ALL people (which surprised me quite a bit since I liked a lot of his posts which informed me more on things political/international etc. - et al) Jeremiah Cornelius (former MS employee & now VMWare employee) was the one doing it.

So, trust me - you're NOT the only one putting up with it man...

Then came the freaks that nigh CONSTANTLY hassle, troll, & downmod all of my posts (which I just get around easily reposting, yes, unlimitedly as ac even here)!

See - I remember when we used to actually rationally DISCUSS the various merits/demerits of topics on computing - you gained a lot more insights or points-of-view + know-how then... since nobody "knows it all" in this field, or life.

Now? Well, you know - you said it better than I have, lol, love how you did actually!

(Plus, I don't think you & I have ever had a problem so, there you are...)

APK

P.S.=> Don't feel too bad man since like I said above - I get THAT kind of crap here nearly EVERY single day & every time I post...

However? Man - I LOVE SMASHING THEM INTO THE GROUND WITH FACTS vs. THEIR TROLLING CRAP!

(I know - sounds pretty bad, but after a while? You have to strike back OR sit there & get abused constantly instead - take your pick, ymmv!)... apk

Re: "Real" Names

[hackwrench]

You believe in the concept of a "real" name... How quaint. Sure there is such a thing as a legal name that you use on legal forms, and a lot of times people think that is your "real" name. But how real is it? Is it what your friends, family, acquaintances or coworkers call you? Probably not. I just put hackwrench into Bing and my slashdot page is on the first page of listings. My blog is in the first page of results in Google. That real enough for you?

Solved.

If you are still using Windows global spyware...

http://portableapps.com/apps/utilities/peazip_portable

or...

http://www.peazip.org/peazip-portable.html

In Linux/BSD this isn't an issue. It just works.

Didn't winrar have a nag screen?

[n3r0.m4dski11z]

And require a crack to get working properly? Why would anyone still use that crap. As everyone else has said, 7-zip has I thought, been standard for like 5 years, which is eternity in internet time... Do the slashdot editors still use winrar or something because they are stuck in the glory days of yore?

That, or they really are out of tune with the windows software scene.

Re: 1000s dying daily from starvation, deception..

[KGIII]

But they're not very tasty.

Hehe

They only find out this now? OMG...

Use ZIPmagic - 100% Free (As in Beer) Compression

[zipmagic]

Now is a great time to upgrade to ZIPmagic: www.zipmagic.co/features.html We give away our file compression for 100% free. Yet the product is professionally, fully supported because our core business is disk compression, which is paid. Take a look at the features list I've linked above, and let me know if, even leaving the WinRAR exploit aside, you can think of a reason to not switch? In addition to being 100% free and 100% supported, ZIPmagic completely outclasses traditional archivers such as WinZip and WinRAR. You get tools that WinZip charges $60+ for free with ZIPmagic. And the disk compression angle is one you will not find in any competing archiver at all. It just does not exist on Windows outside of ZIPmagic. Last but not least, I'd be very surprised if a vulnerability of this sort was ever uncovered in ZIPmagic. ZIPmagic's file compression is plug-in extensible and currently has two plug-ins, one based on the excellent open source 7-Zip stack, and the other based on the WinZip proprietary ZIPX format for JPEG compression which even 7-Zip cannot do. ZIPmagic also integrates with Windows Explorer, mounting all archives as regular folders like Windows's ZIPfolders, but does it for all archive types (even RAR, 7-Zip, and ZIPX) - in addition to featuring completely stand-alone archive management applications.

When did winrar not have malware? A long time ago.

I have yet to find a newer copy of Winrar that is not packaged with malware.
Dowloaded from http://www.rarlab.com/ as of 10 minutes of this post.

File - WinRAR x64 (64 bit) 5.21

They keep updating their code every so many days to try to avoid detection. Once the AV guys catch up the malware list repopulates with bad stuff again from their program.
Most recent scan results:
Zillya!
Backdoor.DarkKomet.Win32.27531

How does it affects users?

Premise, I no longer use WinRar as I switched mine and my friends' machines to open source alternatives like 7-Zip and PeaZip years ago.
I wonder why the titles (here and on other website) about n millions of Winrar *users* at risk: if I correctly understood the vulnerability description WinRar is not the target of a possible malicious use of the exploit, it is the vector that can be used to build an infected self extracting (exe) archive containing hidden commands where text and icon data should be, so the real risk is for anyone (not just WinRar users) as now there is an easy & handy tool (Winrar, until patched) that can be used to pack forged self extracting archives.

Capt Obvious here...

... closed source software is harder to inspect, design and coding flaws are more likely to pass undetected and stay for years. Err on the safe side and use Open Source replacements like 7-Zip, j7zip, p7zip, PeaZip...