back to article High severity vuln in WinRAR could allow code to run when files are opened

Users of the popular WinRAR compression and archiving tool should update now to avoid a vulnerability that allows code to be run when a user opens a RAR file. WinRAR is one of the many apps available for compressing and packaging multiple files together for distribution or archiving, and is claimed as the world’s most popular …

  1. Yet Another Anonymous coward Silver badge

    WinRAR security hole?

    But how will I install, special_craked_game.exe ?

    1. Martin-73 Silver badge
      Devil

      Re: WinRAR security hole?

      Use the .exe that came with it ;)

    2. steviebuk Silver badge

      Re: WinRAR security hole?

      7zip.

  2. jonha
    Happy

    Also available for Linux... if you're no CLI hater :-)

    I've been using the Linux version of (Win)RAR for many years... my Reg file works for both versions though I am not sure about giveaway licences. Some may find the CLI-only Linux version a bit sparse but it has the same functions as the Windows version, just not as much eye candy.

    1. JulieM Silver badge

      Re: Also available for Linux... if you're no CLI hater :-)

      It doesn't seem to come with Source Code, though. That's a dealbreaker, as far as I am concerned.

    2. John H Woods Silver badge

      Re: Also available for Linux... if you're no CLI hater :-)

      Genuine question: what's the point of RAR on linux? Better compression?

      1. adam 40 Silver badge

        Re: Also available for Linux... if you're no CLI hater :-)

        Uncompressing free pr0n.

        1. Anonymous Coward
          Anonymous Coward

          Re: Also available for Linux... if you're no CLI hater :-)

          >> Uncompressing free pr0n.

          LOL.

          Reminds me of the story of the colleague with a work laptop full of dwarf-porn. When challenged he said he wasn't really into it but it did take up less space on the hard drive.

      2. GottZ

        Re: Also available for Linux... if you're no CLI hater :-)

        there is a project called rar2fs which can fuse mount a directory and unpack rar files on-demand in memory, so the mount looks as if you unpacked all rar files prior to directory browsing.

        benefit:

        you can watch downloaded warez movies without needing to unpack them first.

        why is this a benefit? because extractions take space and you might want to continue seeding back to the community without increased storage requirements.

        other benefit:

        rar is (to my knowledge) the only archive file format, that supports seeking.

        you can extract a single file from it without decompressing the prior files first, due to a lookup table with it's directory structure present within the rar file.

        you can essentially use a .rar file like a cd image in this case.

        unlike tar or zip where you have to run through the archive first, in order to extract what you want.

        obviously this is optional and can be disabled for higher compression results but it's pretty common in scene releases to only have per-file compression (if any at all)

        1. Brewster's Angle Grinder Silver badge

          Re: Also available for Linux... if you're no CLI hater :-)

          Zip allows files to be extracted individually. There's a directory at the end that points to the files. You can use that directory to extract individual files without decompressing earlier files. (.tgz has that problem, though.)

      3. jonha

        Re: Also available for Linux... if you're no CLI hater :-)

        No, not better compression. As a rule 7z is the better compression utility, sometimes significantly so. However, as commented elsewhere RAR can create redundant archives (with user-definable amounts of redundancy) which makes sure that files in the archive can be accessed even when parts of the archive become corrupted or unreadable (happened twice in 20+ years).

      4. hedgie Bronze badge

        Re: Also available for Linux... if you're no CLI hater :-)

        Electronic formats for comic books/graphic novels are usually .cbr files (ie, a rar file that the reader recognises and uses).

  3. Lil Endian Silver badge
    Thumb Up

    Good Find

    Good find and well handled. Good job goodbyeselene and RARLAB.

  4. mikus

    I still laugh every time I see an enterprise that rolls out winrar or winzip on a corporate level, I can only ever say "eww" or think "what silly old warez d00d admin put this out there?". Particularly when there are far better and far more open and un-encumbered license-wise solutions like 7zip that don't come with a shareware trial nag on every launch. Keep it classy y'all.

    1. Pascal Monett Silver badge

      Yep. I'll be honest, I used to use WinRar before 7zip came out.

      But, ever since 7zip has been available, I had been steadfast in using it and talking about it around me.

      1. Mishak Silver badge

        Yes, but...

        Have you ever looked at the source code for 7-Zip?

        It may "work", but there's no way I would want to generate the test vectors for it.

        It does have some comments, but mainly commented-out code - including things like "if ( some-condition)" being comment-out to make the following block unconditional.

        One of the functions is something like 1500 lines long, and includes a number of potentially-infinite nested loops.

        Still, it seems to do the job if you can ignore the fact that it may have similar security vulnerabilities ;-)

        1. Paul Herber Silver badge
          Facepalm

          Re: Yes, but...

          I prevent bugs like that by always looping to infinity -1.

          1. Benegesserict Cumbersomberbatch Silver badge

            Re: Yes, but...

            Attachment: Cantor_Hotel.rar

          2. CowHorseFrog Silver badge

            Re: Yes, but...

            Wouldnt you run out of memory creating the number holding all them digits ?

        2. emfiliane

          Re: Yes, but...

          Igor, bless his heart, is a genius at fancy maths and dirty coding tricks, not so much software engineering or UX. It's a throwback to that age when all compression and encryption code looked like that, heck, most software in general, and it's probably the only reason I've visited Sourceforge in years. Unrar (the only free and open source part of rar) has been cleaned up dramatically over the years compared to early releases, so it's not that ugly anymore, but it started in a quite dire state. Too bad Igor declines pretty much any code contributions, including cleanup patches.

    2. jonha

      Well... I use 7z for many things (it's faster and normally has better compression rates than RAR) but for everything that has to survive for a long time and is REALLY important I use RAR only. Main reason is that RAR can add user-defined amounts of redundancy to an archive, so even if bits of an archive go and bit-rot, chances are I can still access most if not all of it. I don't think 7z has such a feature.

      1. mark l 2 Silver badge

        Interesting i didn't know RAR archives could do that. I guess that goes to explain why a propriety program like WinRAR is still relevant when Windows has natively supported ZIP for decades, and open source alternatives such as 7zip have been around for a long time to.

        I did see there was a open source archive format called Freearc that supported recovery records, but it looks like the project has died since there hasn't been any new releases since 2016.

        Maybe this is something that 7zip can add support for it newer versions going forward?

        1. DanceMan

          Proprietary is the word you were looking for.

        2. GottZ

          keep in mind why zip is present in windows..

          dave plummer made this in his spare time while working for windows.

          it was a third-party tool initially and microsoft asked to buy it form him and integrate it into windows.

          I suspect it just never was touched again since then, and thus the reason why there is only zip support.

      2. Nick Stallman

        For format independent recovery records just use par2. It lets you add recovery information as separate files for any kind of data type.

      3. Fred Daggy Silver badge
        Meh

        If survivability is key, then TAR, optionally followed by GZIP will be your friend.

        Source code available and should be runnable even 10,000 years down the track. Add in checksums to data before and after you TAR it.

        Personally, i use 7-zip, but i have had my arse saved by tar (via Cygwin) for storing of system logs on Windows. S-ox records and a PFY auditor - "can you prove you never changed this?". Yup, and here you go ....

        1. adam 40 Silver badge

          CPIO rules

          cpio -oBcduv

          There are some advantages over tar, such as restoring _all_ date stamps.

        2. heyrick Silver badge

          Wow.

          Assuming our species is still around in 10,000 years, I rather imagine that anything we create now (data, source code, etc) will be incomprehensible cuneiform scribbles by then.

          1. Nifty

            It's being used to keep the records of where we stored the nuclear waste.

      4. Piro Silver badge

        Yeah, rar is king if you want to protect files in the long run

      5. heyrick Silver badge

        "RAR can add user-defined amounts of redundancy to an archive"

        Dumb question, but why not use your preferred archive format and make copies? That way, if one media is failing you can use another.

        Think of it as hardware assisted redundancy. ;)

    3. Dan 55 Silver badge

      I don't see how unregistered WinRAR could be approved for corporate use anyway given its licence.

  5. ludicrous_buffoon
    Unhappy

    Need money to plug holes

    This is what we get for ignoring their desperate pleas and never sending them the $29.99.

    1. Martin Summers

      Re: Need money to plug holes

      I was going to make a comment like this until I saw yours. Yeah just think of the millions of shareware abusers out there now with Day 800 of a 30 day trial :-) WinRAR has the last laugh!

  6. JulieM Silver badge

    Never trusted it.

    I knew I didn't trust .rar when even the Source Code for the decompression utility carried an unenforcible but still scary admonition that it was not to be used for developing a compatible compression

    tool.

    In my experience, that sort of behaviour has *always* meant the person who wrote it thought they had done something really clever.

  7. Locky

    Both the licensed users will be furious

  8. DrXym

    Well that's not good

    I expect piracy websites will be filled with exploited .rar files along with all the other stuff they do to catch people unawares, e.g. .scr files, .wmv files etc.

  9. Mike_JC

    I used to use WinZip but every update to Windows 11 broke WinZip, needing to pay for an update, so now I use 7-zip which is free to use and bug-free.

  10. steviebuk Silver badge

    Was tempted

    As a bit of history, to buy it and get the CD delivered but now see that "updates" are a yearly subscription so they can go fuck a duck.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like