back to article We regret to inform you there's an RCE vuln in old version of WinRAR. Yes, the file decompression utility

A remote code execution vulnerability existed in an old and free trial version of WinRAR, according to infosec firm Positive Technologies. While a vuln in version 5.7 of WinRAR may not seem like an immediate threat given that version was first released two years ago and has been superseded since, simple shareware/free-to-use …

  1. amanfromMars 1 Silver badge

    For the Greater Benefit of Almightily Attractive Mutually Beneficial Advantage Rigging Leaderships.

    "This opens up the application to many of the vulnerabilities which web applications face within a desktop application. The end result is the threat profile being increased."

    And prime premium endless results deliver the threat profile being increased and improved beyond all reasonable expectation and systemic ken/operational knowledge.

    And that's a Venerable and Certifiable and Virtually Verifiable Greater IntelAIgent Game Changer ...... at least, putting in an appearance just in time and at long last, too.

    What say yous/US ‽ .

    1. Clausewitz 4.0

      Re:For the Greater Benefit of Almightily Attractive Mutually Beneficial Advantage

      A Sino+Soviet+Extras pact can bring balance to the force. Some folks are 100% nationalist. Some folks also are true capitalists.

      1. amanfromMars 1 Silver badge

        Re: Re:For the Greater Benefit of Almightily Attractive Mutually Beneficial Advantage

        A Sino+Soviet+Extras pact can bring balance to the force. Some folks are 100% nationalist. Some folks also are true capitalists. .... Clausewitz 4.0

        A Sino+Soviet+Extras PACT* would irreversibly change and fundamentally redistribute the dynamic direction and ownership of force to relatively anonymous and practically novel, noble players and Stateless Virtual ACTors [Advanced Cyber Threat/Treat Providers]

        PACT* ..... Persistent ACTive Cyber Threat/Treat

        The abiding great temptation then for those, is not to resist the lure to venture into the wares and too enthusiastically sample the fares of the ignoble which would have one then self-identified as an enemy to others who mistook you for a friend in deed in need of feed and seeds.

  2. bombastic bob Silver badge

    at least in Russia

    At least in Russia, when you discover security-related bugs in software, you can report them to the world without being SUED or THREATENED WITH PROSECUTION

    (even if maybe Vlad & comrades have to get the heads-up on the new vulnerability FIRST?)

    1. Gene Cash Silver badge

      Re: at least in Russia

      Hey, with the stupid antics of the Missouri governor, this is actually one time Bombastic Bob is right.

      That idiot is doubling down and still trying to pursue actual criminal charges against the journalist reporting a vulnerability. He hasn't backed off.

      1. sanmigueelbeer

        Re: at least in Russia

        That idiot is doubling down and still trying to pursue actual criminal charges against the journalist reporting a vulnerability. He hasn't backed off.

        No one can fix "stupid". No one.

    2. This post has been deleted by its author

  3. Luiz Abdala

    LGR has WinRAR registered.

    I know at least one person on this planet has the REGISTERED VERSION of WinRAR.

    Clint, from LGR - Lazy Game Reviews YT Channel - bought and registered WinRAR, for the funsies.

    Yes, he bought and registered WinRAR, which in turned sent him a pressed CD with multiple versions for Windows, including Windows 3.11, 98, XP, NT and 10.

    I wonder how the vulnerability is bypassed on the registered version.

    1. rcxb1

      Re: LGR has WinRAR registered.

    2. Joe W Silver badge

      Re: LGR has WinRAR registered.

      If you use freeware and find it useful: chuck some quid to the dev or try and give back to the community - especially the really small teams appreciate it. You'd buy them a coffee if you met them, right? So do that online - now (maybe find one that makes it simple to donate through PayPal or whatever).

      That reminds me: I need to pick up that stuff myself again: I don't write C/C++, at least not well enough to meaningfully contribute there[*], so I did translations. There are short texts (like package descriptions) that do need some (a lot of) care and attention, and since they are short you can do maybe one per week without overextending yourself. The point is: there is work besides programming in open source projects.

      [*] maybe I should find a Fortran project? Or maybe get into helping with some of the R libraries.

      1. Luiz Abdala

        Re: LGR has WinRAR registered.

        I did translations myself, but for one specific app where the guy had a button on *every* command that needed translation and you could post suggestions. I don't even remember what it did.

        You would choose the language you wanted to use, and the app would place the button for every command that had no translation, while letting you see the english (as expected, right?).

        Pretty smart code, if you ask me. And I said *suggestions*, otherwise there would be funny people throwing colorful words in the app.

        He had the app translated in no time, since I took it as a pet project. It was a one-off thing by that programmer, but the app worked flawlessly.

    3. BenDwire Silver badge

      Re: LGR has WinRAR registered.

      Well, I had a registered version too - back in the days when it was a German company (v3.4). Mind you, I also paid for WinZip, such was my conviction that I should pay for all software that I used to ultimately make lots of money from products I designed.

      I've even donated to numerous open source projects over the years - and why not?

  4. Anonymous Coward
    Anonymous Coward

    hijacked dialog box

    So the exploit depends on the user opening WinRAR, then doing whatever step opens the vulnerable dialog box, all while the attacker has poisoned their arp cache to redirect to an evil site?

    What am I missing? That vector seems pretty unlikely, especially for the common use case of a forgotten installation of WinRAR? If the exploit was triggered by an evil .rar file, that's a different story.

    1. Joe W Silver badge

      Re: hijacked dialog box

      And why on earth does this program even open that http connection? For the nag-screen? I find this more of a problem than the attack itself.

      Making a trial version with a nag screen and a full version without does not seem like too much of a problem. Yeah, once you do it with license keys that the user can enter those will pop up on some BBS or another (or WaReZ-sites, however these are called these days). The full version will also end up there, though. Lost battle and all.

    2. chuBb.

      Re: hijacked dialog box

      Yup it's pretty low risk on its own, as a reinfection vector it's pretty nasty.

      This sort of thing is exactly the sort of flaw that would let malware back in. I. E. Bot net c2 sends out a disinfect command and so appears to be off the machine, leaves behind any number of methods to fart about with dns, winrar nag screen exploited to call home to c2 or new package dropper and your reinfected. So wouldn't be surprised if similar flaws are actively used to resurrect botnets

  5. Hey Lobotoman! CALL -151!

    Gently nagging?

    "...a free trial licence before gently nagging users to buy a licence."

    Gently nagging? I must have installed an earlier version...

  6. Geoffrey W

    Surely the only reason to use WinRAR is to write it's proprietary RAR files, and who really needs to do that? Just install 7Zip. It opens RAR files even if it can't write them, and it even opens some old virtual hard disks I was wondering how to get files out of; 7Zip did it! I love 7Zip so much I asked it to marry me; It said no and my wife objected but...oh well, we'll just have to stay friends.

    1. sanmigueelbeer

      Yes, 7-Zip is a good alternative.

    2. logicalextreme

      I'd forgotten WinRAR even existed till I saw this article. Now I'm seriously wondering if there are still people out there rocking PKZIP.

      1. Joe W Silver badge

        Oooh, might have that on a floppy somewhere... or maybe I disposed of it. I dumped all of the no-longer-working ones. The 3.5" floppy really was a WORN medium (write once read never).

        1. Anonymous Coward
          Anonymous Coward

          "The 3.5" floppy really was a WORN medium (write once read never)."

          Eh... it was more of a WORRIED medium (Write Often Read Regularly Important Eventually Disappears).

          If you bought good disks, treated them with moderate care, and operated your drives in a relatively clean environment, things were good. If your drive was filled with dust bunnies, your disk stock was old AOL disks with new labels slapped on, and you tossed them on the dashboard of your car for weeks on end, you had less reliable results.

      2. This post has been deleted by its author

    3. dhawkshaw

      Another nod to 7zip from me.

      TBF the only time I see .rar files anyway, they are used as a carrier for a malware payload. All rar files we receive via email are quarantined on sight. It's probably last century when I last saw a legit one.

      1. ThatOne Silver badge

        > It's probably last century when I last saw a legit one.

        You saw a legit one???

      2. Anonymous Coward
        Anonymous Coward

        RAR = rare

        Yep. My instinctive thought about RAR files is that they are probably warez or otherwise something up to no good.

        Maybe it's because I'm not a Windoze user, but it has always struck me as one of those "OK, it exists, but why on earth is anyone using it" obscure archive formats…

        I mean there's Zip, tar.gz, even LhA, and many more newer compression formats, but RAR has always struck me as a particularly weird one, especially given that there are few ways to create RAR archives with free software. Why did it ever catch on to even a slight extent?

      3. Disgusted Of Tunbridge Wells Silver badge

        Pirated content on Usenet still uses the rar format

    4. Hubert Cumberdale Silver badge

      I see RAR files quite often when I get bundles of LaTeX files from Chinese scientists. Apparently, there's a free Chinese version for some reason. Although I still have no idea why they don't just use the universally accessible ZIP format – as far as I can tell, RAR offers no advantages at all. I just use 7Zip to deflate them and send them back a normal ZIP in the hope that they'll get the message.

  7. This post has been deleted by its author

  8. Timbo

    well, well, well

    I never knew that WinRAR was now owned by a Russian company.

    But what a wheeze it would be to announce that a vulnerability had been found, get everyone to update their old versions (which might not even have such a vulnerability) and let them upgrade to a new version that, while being fixed for the original vuln, now contains some "phone back home" code, to some Russian website somewhere, owned by a dodgy ransomware oligarch?

    1. Claverhouse Silver badge

      Re: well, well, well

      Well, it was invented by a Russian.



      As for Positive Technologies, the Russian company was sanctioned by the US government earlier this year, with America alleging the firm had passed vulns to Russian state hackers instead of disclosing them.

      I wonder if any Americans have ever disclosed vulnerabilities to the 3-letter idiots before anyone else and been prosecuted for that ?

      Or indeed if the American agencies themselves ever discovered such exploits and kept them to themselves ? It would make them unspeakable hypocrites.

    2. Anonymous Coward
      Anonymous Coward

      Re: well, well, well

      Yes. Oh those Sovie^HRussians, they're at it again.

      This is exactly how they operate. There is no proof whatsoever but we have high confidence that it must be Russians. It is always Russians.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon