Hacker News new | past | comments | ask | show | jobs | submit login
WinRAR zero-day exploited since April to hack trading accounts (bleepingcomputer.com)
177 points by mikece on Aug 23, 2023 | hide | past | favorite | 131 comments



Oh WinRAR. Before my time ended with Windows 10-12 years ago, this was one of the first programs that I install on a new Windows setup. Feature wise, I haven't seen any tool beat WinRAR. Locking, splitting, recovery support, And my favorite, SFX archives (msi file equivalent). Creating an installation program was dead easy. And they were and still are cool enough to give a perpetual free trial in exchange for a few nagging screens.


>Feature wise, I haven't seen any tool beat WinRAR. Locking, splitting, recovery support, And my favorite, SFX archives (msi file equivalent). Creating an installation program was dead easy.

Doesn't 7zip do all of this (and quite a bit more)?


I don't know about today. But WinRAR could handle very large files without issue. It would automatically breakup a huge file into a series of smaller compressed files. 7zip AFAIK struggled with larger files. I don't know if things have improved or not.


Not sure what's considered large but I've created 50-150GiB (after compression) encrypted archives with 7zip just fine


This was years ago when I had database backup files to be SFTP from New York data center to California. The backups were half a terabyte or more. It was quite an ordeal back then.


That was my first encounter with RAR in the dos days - multiple volume archives, with each 1.44 filled to the brim.


File sharing sites where you would download 13 .rar files and get yourself a .zip through to .z12 from the set.


Indeed it might. It's been more than decade since I last used them.


no recovery record on 7z


while, the article does not make this clear, I assume that, when dealing with an infected rar archive, if you right click, and choose extract, the malicious payload does not get executed.

It seems you only get infected if you double click a malicious rat archive then within WinRAR, double click one of the legitimate PDF or image files.

Either way, it’s a bad scenario - I just would like to know. Tks


Related recent other vulnerability from last week:

https://news.ycombinator.com/item?id=37179505


Do we know if the unrar command line tool[0] is similarly affected? I can't seem to find anything that says one way or the other.

[0] https://packages.debian.org/stable/unrar


Is it really a "zero-day" if it's being used months later?


I can stretch the definition of zero day to make a point. Zero day is a surprise exploit that gets used before it is discovered. WinRAR has not fixed this exploit, and since it's proprietary software we don't even know if the company is even aware or even cares.

It's also alike a zero day in the other sense that protections against the exploit haven't been developed. While in a real zero day that's because not enough time has passed for volunteers to develop protections, the case here is proprietary software can't be modified by volunteers.


Not if the devs weren't aware. Zero day borrows it's terminology from contracts where zero day notice means that no prior notification is needed. A zero day exploit is one that's circulating in the wild prior to their having been a formal disclosure.


it's a zero-day when it is not patched but still exploited


I think it means that this exploit has been possible since the application was made, the zeroth day.


It doesn't. Technically, zero-day in the context of exploits means the exploit was circulating and/or being used before the authors of the attacked piece of software were made aware of the vulnerability (or before the vulnerability was made public, or before the day a patch was made available, depending on who you ask).


This may be a good place to ask this. Legitimate question, why do people still use WinRAR and 7zip and stuff? Zip is built into literally everything. I don't really want to have to download another application to unpack something I get.

Is there a good reason? It frequently feels like it's used just to make extra work for the downloader


.7z gets way better compression than .zip, in my experience. Plus, 7-zip can handle the odd archive here and there that I'm forced to download on my corporate PC that Windows cannot. Like a tarball.

Finally, the built-in integrity hashing that 7-zip adds to the right-click context menu in Windows is crazy useful.

So to answer your question: there are plenty of legitimate reasons to still use 7zip. I can't think of any legitimate reasons to still use WinRAR, though...


One advantage of WinRAR over 7-Zip is the option to add recovery data and data parity recovery files. This can of course be accomplished on any file using PAR2 but it saved a step which some people liked. Not everyone needs this option. I create PAR files when I back up important archives to multiple external drives. par2cmdline [1] is in some Linux repositories.

[1] - https://github.com/Parchive/par2cmdline [In need of a new maintainer]


MultiPar is the continuation for Windows https://github.com/Yutaka-Sawada/MultiPar

And this for Linux https://github.com/animetosho/par2cmdline-turbo


I may be wrong, but rar files appear to be recoverable when the download has not finished, but last time I tried I could not do anything with a partial 7z archive.


WinRAR can _create_ RAR files. In fact it's one of the only pieces of software that can. The decompression algo is free, so it's implemented in 7zip. compressing files in the format is what they want you to pay for.


Sure...but in this day and age I almost consider .rar a "read-only" format. There will be plenty of RAR archives that people are keeping around for historical reasons, but, why would you still be creating WinRAR archives when there are better options?


> there are better options?

which are?..

If you need the interop then you can't beat ZIP

If you need a built-in recovery record (and find a working decompressing program 10-20 years later) then you can't beat RAR

If your corporate is insane and forbids 7z because it's FOSS/made by Russian then you can't beat RAR

Which are those 'better options'?


Your corporate should look up who makes WinRar.


Thanks, I know who and where from Eugene is.


tar? XD


On Usenet RAR/PAR is still the standard


Hopefully that slowly stops being the standard: https://github.com/animetosho/Nyuu/wiki/Stop-RAR-Uploads


Probably not, if the releases come from scene groups they follow the standard.


If you search up guides on how to upload to Usenet, you'll often find most of the recommend creating split RARs.

Uploaders who just transfer scene releases without bothering to extract will of course stick to RAR, but there's a lot of content these days that isn't from scene groups.


> The decompression algo is free

Is the algorithm itself actually available somewhere? IIRC 7zip had compatibility issues with some RAR files out there that opens up just fine with WinRAR, so I assumed they had to figure out the algo themselves.


>Is the algorithm itself actually available somewhere?

https://www.rarlab.com/rar_add.htm

The source has the following restriction:

      UnRAR source code may be used in any software to handle
      RAR archives without limitations free of charge, but cannot be
      used to develop RAR (WinRAR) compatible archiver and to
      re-create RAR compression algorithm, which is proprietary.
      Distribution of modified UnRAR source code in separate form
      or as a part of other software is permitted, provided that
      full text of this paragraph, starting from "UnRAR source code"
      words, is included in license, or in documentation if license
      is not available, and in source code comments of resulting package.


> Finally, the built-in integrity hashing that 7-zip adds to the right-click context menu in Windows is crazy useful.

Ironic, isn't 7-Zip the program where the developer has famously refused to provide download hashes or digital signatures of the release binaries?


Interesting, never heard tarballs being classified as odd before. They are still widely used.


If it's something you intend to package to a non-Windows user then sure it's not odd. I send file archives to non-tech users all the time internally. I absolutely do not tarball them, I zip them. When it comes to less tech savvy users, a tarball is definitely an odd format to deal with.


If you're a non-developer Windows user, you won't encounter a tarball in the wild very often. I think I first ran into one when I wanted an emulator in the early aughts (as a teenager) and found it on Sourceforge.

My immediate thoughts were, "What the hell is this?" and "Why didn't they just give me an EXE?"


Microsoft is (finally) adding native support for tar/gz/bz2/rar/7z (edit: and xz/zstd) to Windows, so third party apps shouldn't be required for much longer.

https://blogs.windows.com/windows-insider/2023/08/18/announc...

It's only available on the preview channel for now but it's coming.


Command line support for these formats has existed in Windows for multiple years via bsdtar which has shipped with Windows for quite a while now.


Huh ? Parent was talking about bz2, xz.


The comment originally mentioned tar/gz/bz2/rar/7z support being added to Windows. bsdtar supports all of these.


bsdtar is backed by libarchive, which supports all the formats listed at https://github.com/libarchive/libarchive/wiki/LibarchiveForm...


Have they added lz4 and xz as well?


I don't have a preview channel install handy to check, but they're using libarchive so here's the full list assuming they expose everything it supports:

https://github.com/libarchive/libarchive#supported-formats

edit: amended my last reply, Microsofts latest blog post says that XZ and Zstd are also supported.


Great, a new attack vector.

Don't get me wrong, I love that they add support for more open source formats, but decompressors (especially written in C) are one of the most common sources of bugs basically everywhere. I wish they would sandbox it, but they probably won't.


Having the decompressor updated automatically by Windows Update is a significant step up from the current status quo of installing WinRAR or 7zip once and then usually never updating it for years because it has to be done manually. Microsoft will probably have more diligence in hardening the binaries than 7zip too, which resisted enabling basic exploit mitigations like DEP and ASLR until 2018 and still doesn't enable the more advanced MSVC mitigations as far as I'm aware. There's no excuse for that in an application that's expected to handle untrusted files.


This is implemented via libarchive which has actually shipped along with bsdtar for years now in Windows. They are just adding Windows explorer support for them.


Covered by Microsoft Bug Bounty Program


Please, not even Linux distros add those by default yet. Microsoft won't consider it until at least 2030.


Niiiice!


7Zip - the tool not the format - is about as unobtrusive to use as it gets, supports every archive format we deal with on a regular basis, has a very tolerable license and provides better feedback than explorer's zip. It also handles our zip files that explorer is known to choke on.

And because we can assume everyone in the office has 7zip, we don't have to create zips for things that go between windows and linux systems.


>unobtrusive

We are talking about the program that adds like four options to the right click menu throughout your entire system right?


In the submenu. And it's useful not to wrestle with the unregistered filetypes or just RMB on some .exe to be able to unpack it.


I've used 7zip for a decade and just a couple months ago I discovered in addition to everything I knew about already it also offers it also has a SHA-256 checksum tool in it's context menu! It is legitimately one of the most useful utilities on my system.


You can choose what shows up in that context menu or choose to show nothing at all, you can also choose to have it cascade (which I believe is the default).


Arguably very useful options. For instance, try using 7zip to extract an .exe installer sometime -- right click on it and extract it into its own dir and see what is in it.


I upvoted you, as people are so intolerant today that downvote anything they don't like, like spoiled kids. It is crazy.

That said, RAR and 7zip compress much, much better than ZIP (faster or more).


Thank you, I was worried about that. I wonder about this a lot and HN always thought like the right place to ask!


As a sysadmin, I frequently deploy 7zip via .msi to all machines that I think might even have the slightest use to open archive files. It's not that the OS doesn't support .zip it's that the OS ONLY support .zip out of the box and the OS .zip file manager is inadequate in many troubleshooting scenarios.

Sometimes you need to split archives Sometimes you want to open a non-standard file type with something to unpack it (.xlsx/self extracting .exe) Sometimes you've got Software Restriction Policies that prevent standard %temp% extraction installers from running and need to manually extract a package.

This is the short list


I use WinRAR because 7zip's handling of tar.gz/bz is abysmal. It first opens the .gz so you have a list containing the tar. Then you can double click the tar to browse it, but it will need to extract it fully to the temp folder first.

WinRAR opens a .tar.gz like any other single-format archive (zip, rar, 7z) so it's much much faster, but also more intuitive.

Even though I use WinRAR, I only create ZIPs for compatibility with others. I would also stick to ZIPs if I were to use 7zip.


WinRAR has way more useful options available than 7-zip. Like adding a recovery record, storing certain file extensions without compression, etc.


You don't occasionally need to open .7z or .tar.gz files?


I do but I wouldn't if other people didn't put them in that format instead of zip. That said, I know tar.gz is native to linux so that one I understand more than 7z but this thread is showing there are definitely legit uses!


> You don't occasionally need to open .7z

I do an I absolutely loathe when something is compressed as 7z.


Probably because all those youtubers say to download WinRAR to extract files so people don't know that there's better alternatives.

I also recommend NanaZip (a fork of 7zip) instead of 7zip since it integrates better with Windows 11 context menu.


IIRC there was some issue with non-Latin characters in filenames in zips on older Windows.

The details escape me, but I live somewhere with a non-Latin script and it rars were very popular here ten-fifteen years ago for this reason.


Many older formats, ZIP included, didn't standardise on an encoding, so they just use whatever the local 8-bit encoding happens to be. And if your system charset is different from the ZIP creator's, you could get messed up filenames.

This is just another cost of sticking to legacy formats.


That's interesting! I feel like I've run into that as well pulling down a repo or something at some point!


7zip is great if you are zipping up your own data.

RAR is used on the internet because large files get broken up into smaller parts to get transferred and you can use RAR to determine whether your compressed fileset is legitimate or if it needs repair. That's where recovery volumes come in. If it won't unrar, then you can just add enough recovery files until it does.


I use Windows' built-in zip support more often than not, but 7zip is still handy as a "debug tool" when Windows gives up on a zip, or when I know a file is a zip but has a different extension and for whatever reason I don't want to rename it in that moment (skim something out of a DOCX file, for instance).

Also, a common gesture I use is 7zip's extensions to the right-click drag file operation. I can select an entire collection of zip files right-click drag it to a different folder and "Extract to *\" which decompresses all the files into a set of folders (under the folder you are dragging into) using the names of the zip files as the folder names (minus the extension). This is a useful and surprisingly common operation. (For instance, downloading a bunch of Bandcamp albums on a Bandcamp Friday and decompressing them all at once to a music library folder.)


Further tangent: my company still pays the zombie remains of Corel for WinZIP licenses and that astonishes me. WinZIP is slow and really doesn't seem to offer much over Windows built-in support, plus it still "kindly" clobbers the built-in support (on every reinstall/upgrade) removing it from the default and subtly breaking it (which I find quite irritating). It uselessly bloats Windows File Explorer tooltips and dialogs. (Why do I care what some subset of filenames inside the zip file are?) It doesn't seem to offer any useful tools, and its user interface is ugly, slow, and prone to crashing.

WinZIP should probably have died in the 90s.


Default unzipping in windows requires admin privileges for some reason on my work laptop, so I had IT install winrar so I could unzip without admin access.


Your admins have locked down the temporary directory that the zip routine uses to store extracted files before copying them into the final location. That's the sort of paranoia that breaks a lot of applications in hard to diagnose ways.


I find 7-zip is a lot faster than the Windows Explorer Zip handler.


That's because it supports multicore by default.


I have been told that 7zip handles long pathnames better than the zip functionality built in to Windows.


Have you ever tried unpacking files with special characters from zip? Like umlauts, etc? Especially between different machines. It produces broken file names.

Zip doesn't store access rights, unlike tar. That's why tar gzip is so popular on Linux.


It's been a few years since I daily-drove windows but I remember that I used 7zip sometimes because the native zip didn't work at times. As I recall I ran into issues with it failing on deeply nested files.


> Zip is built into literally everything. I don't really want to have to download another application to unpack something I get.

There's a more interesting question lying in there:

"Zip is built into literally everything."

From my anecdotal evidence with random Windows software, for said support, developers probably bundled 7zip in order to support compressed file formats.

Granted, in the end the fact that 7zip is bundled, or if 7zip and it's several features are exposed to you as a end-user is another story.


7zip supports aes-256 encryption on zip files. Windows does not.


Rar seems to handle Chinese filenames much better than zip.


Any reason that LZMA support isn't build into Windows? I think there's maybe some licensing issues with RAR perhaps.


Recovery records.


RAR is the standard way to distribute warez scene releases. If you're getting your releases from a topsite or other high quality sources, everything will be in RARs. Installing WinRAR is the first thing you do when scening. It's like when you install Windows and install Firefox before doing anything.


You mean the zip feature built into Windows that will refuse to compress if there’s any file with non-Latin1 character in its name, and will garble Unicode filenames compressed on other platforms? No I’m not talking about Windows 2000, it’s the same in Windows 11.

For ~half of the world’s population it’s literally useless.


>Zip is built into literally everything.

Deflate is a 16bit algorithm from '91. Which is slow and the density is low.


I use Nanazip which is a version of 7zip with modernization (although its development seems to have slowed considerably so I may switch back to regular 7zip) because I do run into compressed file other than zips. When windows 11 support for rar and 7z comes out I may stop using it.


.RAR file support

The Windows zip tool failed just yesterday because some of my file names had illegal characters yet 7zip/winrar handled it no problem.

Better compression / more options

Beyond that, there's not much I need it for but every time I remove it ... I end up needed it shortly!


both provide much better compression then zip, and when you are compressing large amounts of compressible data that is important.

i personally use rar (not winrar because i am not on windows) because it also: locks created archive, tests it, and adds a recovery record so if a few bits or even bytes flip it can be recovered.

rar also has a ton of options to customize compression like splitting into multiple files (i think 7z does this too as well)


I'm an old school pirate and have a cracked winrar 6.1 on my PC. It just works. Old habits and all that.


I wonder how much of Windows' profusion of archive formats is a hangover from the MS-DOS archiver wars.


winrar is really good if you wish to split a big file into smaller chunks, since it has parity features.


windows built in zip cant handle long paths, or special characters.

7zip is a much more powerful tool


Because some people, for reasons known only to themselves, still insist on using .tar files in 2023.


The worst part is that WinRAR does not have autoupdate built-in, so millions of people will remain vulnerable for years.


The worst part is to use a closed source proprietary black box software when there are tons of great open source alternatives, such as 7zip or even just plain good old gzip, bzip2, etc.


Just to be clear, 7zip, gzip, bzip2 and others all have their own CVE's with arbitrary code execution. Open source software is not immune from these flaws.

You can argue for your political beliefs, sure, but let's be honest and not claim that there are any security benefits.


Open source does have some security benefits. If billions of (mostly) good people who want to help can read the code, they can find vulnerabilities more easily. Having so many contributors does help.


That is a popular fantasy story. The reality of almost all open source software is that nobody reads the code and the primary author is struggling to find the time to keep up with maintenance.

What's more, doing security review is very hard. You can't just casually read a bit of code. You need to deeply understand the surrounding context. People who have the capability to do that aren't going around providing that service for free.

-- More reading for the curious: https://www.explainxkcd.com/wiki/index.php/2347:_Dependency


Well I'm quite motivated to fix this vulnerability in WinRAR, but I can't.


You can, just download the latest version.


What if the software is abandoned or badly maintained? It took the company until August to fix it, there's the possibility it would be faster if it was Free software.


There currently is no alternative to the built in recovery records.


There have been a good open alternative for longer than WinRAR have had recovery records. It's called par files and there are implementations for Mac/win/Linux.


Windows is getting native support for rar, 7zip etc. soon. Of course, like Microsoft Defender, it will also have zero days.


Auto update could allow an attacker to push a malicious update to everyone.


[flagged]


> Given its Russian roots, at this point I'm nervous about updating WinRAR or otherwise continuing to use it. I wish I had a day or two to get 7Zip to build.

If you're worried about backdoors, why did it take until this news for you to change your preference?

Also, 7zip is available prebuilt; You don't need to compile it yourself.


I’ve not been able to find a signed distribution of 7-zip, so I imagine they feel safer building the repo locally to make sure they’re at least not running a compromised .exe (not suggesting the code itself is guaranteed to be virus free, but this does feel safer in my mind)


> I’ve not been able to find a signed distribution of 7-zip

Since when would a signed binary help when your "opsec" says it's the software itself that is compromised?

Software can still be compromised if it is compromised before being signed.

Assuming you somehow trust the source code and not the binary, in fact, you're better off compiling it yourself and checking if the non-signed software you get is similar enough to the binary you can get from others - Assuming of course you can actually reach reliable reproducible builds with a Windows build chain, a thing that last time I checked was horrible and flaky.


apt update && apt install 7zip


> 30 million Americans marched in opposition to the Iraq war

And it was an illegal. George W. Bush is a war criminal.


On a related note: Since switching to Mac a long time ago, I’ve come to love both the great support of archives by the OS (and The Unarchiver and more recently Keka) and the way archives are treated: double-click to extract and delete.

Exploring archives a-la-WinZIP has made little sense to me since (content previews however would still be helpful)


I am not surprised that this default GNOME anti-feature (extract instead of mount or open in File Roller) was also inspired by macOS, which at least has a standard mountable container format. It becomes an annoyance as soon as you encounter your first archive that has no root directory (i.e. most Zip files created on a PC) and fills the parent folder with countless files.


> fills the parent folder with countless files

macOS unarchivers don't have that issue. Extractions always create a single item: either extract the single item in the archive or create a folder with the archives’s name before extracting.

two-files.zip creates two-files/a.txt and two-files/b.txt

one-file.zip creates a.txt


WinRAR is (was?) developed in Russia, so it always seemed like a great way for the Russian FSB to hack foreign systems.


There is a tremendous amount of software created and maintained by Russian developers running on Windows, MacOS and Linux. One example would be NGinx which runs a good deal of websites on the internet. NGinx is now owned by F5 but still maintain the same developers. There is probably a better way to verify code, risk rank flaws and assign a level of trust. This should be an ongoing and ideally automated effort regardless of who is contributing code or hardware.

I personally would like to see AI be able to review entire code bases and see the bigger picture because state sponsored lawful intercepts are rarely one piece of code but rather require multiple pieces of code and sometimes hardware to work in conjunction to form the back door.


Yesterday I learned that a lot of crucial stuff in Postgres was developed by Russians (the list I saw was quite extensive). So if you run nginx+Postgres (like half the Internet?) then WinRAR is least of your concerns


Difference being that PG / nginx are open source and audited unlike WinRAR.


That's a fair point. Perhaps a solution could be that if someone were willing to pick up the par2cmdline code base and work with the 7-zip developers to merge it into their command line and GUI then there may not be many reasons left to utilize WinRAR.


I've met many incredibly talented eastern European engineers, who seem to overwhelmingly enjoy low-level programming (compilers, database internals, etc.). I don't see the concern.


They live in a country where you can literally get arrested for walking around with a blank piece of paper. Just because you MIGHT write something subversive on it.

The ability of the Russian government to lean on incredibly talented developers is extremely large.


The Russian government has recently shown itself to be willing and even eager to use coercive tactics against its own people.

The trust issues with software developed by Russians isn't that the engineers are Russian. It's that the engineers and their families are currently in Russia.


I don't what to get accused of whataboutism, but when it comes to software if this is the bar we're setting than no software can be considered safe.


How is that conclusion came to mind? Did they wrote the entire code in Russian or the code just don't run on Russian computers?

If you don't know, this is not even the first file compression related exploit. "Zip Slip"(0) for example, is just one year old, and there are many of them out there.

[Zip Slip]: https://nvd.nist.gov/vuln/detail/CVE-2022-21675


"Zip Slip" was a term made up in 2018 (see https://news.ycombinator.com/item?id=17237295) for a class of vulnerabilities that's been known since at least 2001.


TIL, I was thrown off by the fact that it's a GmbH into thinking they were German.


Well this seems to suggest they're German https://www.win-rar.com/cookies.html?&L=0

The original author Eugene Roshal (iirc) isn't.


7-zip too. It seems that there are capable Russians about data compression.


If you're downloading random files from a stranger's vague post, then I think you had it coming.

The file extension spoof fix is nice, however.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: