good job 7zip has better compression ratio`s on all types of files
Smuggle mischievous JavaScript into WinRAR archives? Sure, why not
The popular WinRAR compression software can be abused to produce self-extracting archives that execute smuggled-in JavaScript code when decompressed. A proof-of-concept exploit to pull off the trick has been published, and its creator reckons it works on all versions of WinRAR. It's not quite the end of the world, though: …
COMMENTS
-
-
-
-
-
Wednesday 30th September 2015 14:05 GMT Rick Giles
Re: Dear Linux user..
Why do people reply with posts like this? It's like reading an article about a cat problem, and posting just to tell people that you own a dog, and dogs don't get feline infections.
A more apt description has never been made.
Linux is loyal like a dog and can be trained.
Whereas a cat is aloof and arrogant and does what it damn well pleases. Just like Windows.
As with cats, all Windows computers should be euthanized...
-
Wednesday 30th September 2015 18:02 GMT Anonymous Coward
Re: Dear Linux user..
Why do people reply with posts like this? It's like reading an article about a cat problem, and posting just to tell people that you own a dog, and dogs don't get feline infections.
A more apt description has never been made.
Linux is yappy and bites you? And needs lots of attention?
-
-
Wednesday 30th September 2015 17:55 GMT Teiwaz
Re: Dear (non) Linux user..
It's more likely the other way round. Linux is a products for cats. Windows is for when you must be part of the pack.
You only have to look at linux forums to see the old line about 'herding cats' is well mirrored.
Over all I'd rather be a cat than a dog, rather a goat than a sheep.
-
Wednesday 30th September 2015 11:22 GMT Anonymous Coward
> 2. Linux is highly unlikely to be infected by a contagion designed for Windows.
True, but Windows is unlikely to be infected by malware designed for linux, such as whatever infected these little beauties.
Have you looked at your outgoing data usage recently?
-
-
Wednesday 30th September 2015 14:08 GMT Rick Giles
True, but Windows is unlikely to be infected by malware designed for linux, such as whatever infected these little beauties.
As with all tools, if you don't learn to properly use it, you are going to end up hurting/killing yourself or others.
Besides, that was Asia. Must have burnt down some phone lines an modem banks...
-
Wednesday 30th September 2015 15:42 GMT swampdog
That vuln is equivalent to you using "Administrator" or "password" as the password for an administrator account under windoze. It can be fixed thusly..
sudo cat /etc/ssh/sshd_config | egrep "PermitRoot|PasswordA" | egrep -v "^#"
PermitRootLogin no
sudo /etc/init.d/sshd restart
..and the reason it exists in the first place is because linux often runs on headless machines. You need to get into those remotely at least once in order to set up the real account through which you will always subsequently connect (also: "PasswordAuthentication no").
-
-
Wednesday 30th September 2015 13:19 GMT ItsNotMe
@Rol
"Linux won the day as the more secure alternative to Windows, but now its popularity has made it vulnerable, according to Akamai."
"Malware that has hijacked Linux systems for the past year has been recorded flooding targeted websites at speeds of over 150Gbps."
"The key takeaway, however, is that attackers aren't only using Windows these days to build botnets - and Akamai warns that this particular example is just part of a wider trend that may have been made possible because Linux was seen as more secure than Windows, causing companies to adopt Linux. So today there are enough Linux systems to make it worthwhile to pick low-hanging Linux fruit, namely poorly configured systems."
http://www.zdnet.com/article/linux-powered-botnet-generates-giant-denial-of-service-attacks/
That's it kid...keep your Linux head in the sand...loser.
-
Thursday 1st October 2015 02:15 GMT Rol
Re: @Rol
Ha ha ha , you're so funny. Are you twelve or suffering some mental disorder?
Or both?
How can I pay sweet FA for a proper operating system that has never failed me and be a loser?
Conversely, how can you pay top dollar for a steaming pile of crap and think you're somehow a winner?
-
-
-
-
Wednesday 30th September 2015 08:12 GMT Ben Liddicott
WARNING: Executable code may execute code
These are executables. Clue is in the acronym: SFX = Self Extracting Executable
So this amounts to: If you can persuade a user to execute an executable, then that executable can execute code embedded in the executable. Like all executables. So this buys you nothing you don't already have.
Not every bug is a security bug. #notavulnerability
-
Wednesday 30th September 2015 08:26 GMT Ben Liddicott
Re: WARNING: Executable code may execute code
"press release" by security researcher mindlessly regurgitated by supposedly reputable sources:
MalwareBytes: Here the very first comment points out who daft it is.
And yet twitter is going wild with people mindlessly retweeting this as if they discovered it.
-
Wednesday 30th September 2015 08:38 GMT Anonymous Coward
@Ben
If you can persuade a user to execute an executable, then that executable can execute code embedded in the executable.
Actually it goes deeper than that. Because people who don't trust these executables also have the option to right click and "open in archiver". Then WinRAR gets started and it'll display the archives contents, and will also provide options to extract it. Many people who don't trust the executable often use this method instead.
Yet that can now also result in issues.
-
-
Wednesday 30th September 2015 11:25 GMT Captain Underpants
@ Prst. V.Jeltz
For stuff found on random websites, I guess.
Although in a former role I spent some time defining workflows for packaging software installers into SFX files. This was required because some packages we had to deploy required scripted pre- and post-install cleanup tasks (think along the lines of how Java or Skype used to either not remove old versions or wig out on you if you had certain previous releases installed, requiring you to manually uninstall them before proceeding), and the software distribution system in question could accept compressed files - but only on the proviso that, when extracted, the installation command were something like "setup.exe"; it had no method for coping with scripts of any kind that I could find.
7zip is a thing of beauty as far as I'm concerned. I know Windows 10 and PowerShell 5 have finally introduced CLI support for archive-manipulation tasks but I've been very happy knowing that I can compress or extract files as part of a script using 7zip.
-
Wednesday 30th September 2015 14:01 GMT Eddy Ito
Re: @Ben
The problem is that the typical user doesn't care about 7z, zip, rar, bz2 or anything else, they want to open the file which is why self extracting archives exist in the first place. They don't want to deal with decoding file extensions and finding the appropriate utility to open it. This is doubly true since MS turned file extension visibility off by default. The only time you'll find a specific utility on machine is if a particular format is popular in some region where the user frequents and it isn't handled natively by the OS. The only way 7zip has a hope of gaining a 90% share is if MS and Apple support it natively.
-
-
-
Wednesday 30th September 2015 08:42 GMT Anonymous Coward
Re: WARNING: Executable code may execute code
Agreed however for your average user if they download a rar with the executable from a semi-trusted source e.g. newsgroups/torrents used previously with no problem then the temptation to click will be higher depending on how much they want whatever it is they have downloaded. Also your average user will be unaware of this issue as it probably won't be reported in mainstream news.
-
Wednesday 30th September 2015 14:30 GMT Frumious Bandersnatch
Re: WARNING: Executable code may execute code
Well yeah, but no, but yeah.
It all depends on whether the routine to display the sfx text is only called when running the output exe program or if it's called in the normal run of displaying the archive contents. Both the article and the vulnerability description just mention "opening" the archive and it's ambiguous what's meant by this.
-
Thursday 1st October 2015 12:49 GMT darklordsid
Re: WARNING: Executable code may execute code
The issue is the code is sneaked in due a fault in the way sfx "text and icon" data is assembled by WinRar.
I agree that no one is in error if distrusts any unknown executable from any unknown source, but the point is that the vulnerability allows to easily add executing code where it should not be.
In any case I would generally recommend Open Source software like 7-Zip, PeaZip (can open also RAR5 archives), p7zip... rather than closed source ones, as code audit is easier (not burdened neither by i.p. issues nor hampered from unavailability of the full code base) and security issues are usually found and fixed faster.
-
-
Wednesday 30th September 2015 08:22 GMT Velv
Nice of Mohammed to publish it straight to the wild instead of giving the authors a chance to remedy any vulnerability prior to release (90 days notice?). (the article doesn't mention any notice being given)
Aiding and abetting criminal behaviour by showing open doors to criminals. Don't get me wrong, vulnerabilities need exposed, but it should be done in a controlled manner that minimise the risk of widespread exploitation to further compromise the Internet
-
Wednesday 30th September 2015 08:46 GMT Pascal Monett
"software download sites like CNET and Softpedia"
Who never give you a link to the file you wish to download, but link to a wrapper that has to install on your PC and launch in order to download.
I know how to download. You know I know how to download. You putting a wrapper in there has sod all to do with "enhancing the user experience" and everything to do with sucking private data from me.
I never download from any site that forces a wrapper on me. There is literally no good reason for that behavior.
Besides, I've been using 7zip for years now. That's not going to change.
-
Wednesday 30th September 2015 12:50 GMT Shades
Re: "software download sites like CNET and Softpedia"
I've found that if you look carefully enough (and I mean very carefully) there is usually a link to directly download a file hidden somewhere amongst all the crappy in your face attempts to get you to download their "installer" first. I know I've downloaded stuff from the aforementioned sites and never ever installed the sites own "installers".
-
Wednesday 30th September 2015 09:21 GMT Proud Father
A real shame, but it happens.
I have followed WinRAR for a long time, ever since I bought a license in fact.
The code quality by the author is excellent, the alpha builds are more stable and bug free then some 'release' software I could mention.
There is currently a version 5.30 beta 4 so I'm sure the fix will be applied pretty quickly.
-
-
-
Wednesday 30th September 2015 20:29 GMT John Brown (no body)
Re: My Curiosity
"Until you encounter a RARv5 archive which 7zip doesn't recognize. That's why I have to keep WinRAR v5+ as a secondary target."
Does WinRAR not still install the rar and unrar command line tools? If it does, will unrar filename.rar|sfx or rar x filename.rar \dest\dir\ work without triggereing this bug/vuln? And likewise, will they work with a RARv5 archive?
I ask because it's some years since I dealt with rar files on Windows and I used to download enough rar files to make it worth scriptiing batch files to test and extract them to suitable locations. I use FreeBSD these days and I've not seen a rar file that rar/unrar couldn't extract. Maybe I've just not seen a RARv5 file yet since I don't see rar files of any type very often these days<shrugs>
-
-
-
Wednesday 30th September 2015 13:51 GMT badger31
+1 for 7-zip
It's on my list of windows essential programs (Chrome, Firefox, VLC, Programmers Notepad, etc.).
Plus, on the rare occasions when I have downloaded an executable file, I always ask 7-zip to take a look inside, even if I trust the source, even if I don't think it's an SXF, because just in case, you know.
-
Wednesday 30th September 2015 18:45 GMT Henry Wertz 1
Why do pepole reply with posts like this? Because.
"Why do people reply with posts like this? It's like reading an article about a cat problem, and posting just to tell people that you own a dog, and dogs don't get feline infections."
I don't reply with posts like that (usually). But I can see why people do -- too many people comment as though it's a natural state for computers to have to be on this vigilant lookout for viruses, and spyware, and updates from the vendor that do bad things, and buggy updates, and weird software conflicts, and on and on and on. These people like to point out that this is just Windows, not the natural state of al computers.