Huge security vulnerability found in Winrar

[linuxares]

Hi!

Google have made a really good blog about this issue.

If you for some reason still use Winrar, version 6.22 and prior are affected. Please update to a new version!

Source: https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/

 

[CeeDee]

I knew I made a mistake paying for WinRAR

 

[tech3475]

I knew I made a mistake paying for WinRAR

You can pay for Winrar?

 

[Xdqwerty]

You can pay for Winrar?

always has been

 

[SAIYAN48]

Glad I switched to 7zip a while back.

 

[Jayro]

Been laughing in 7-zip since 2005, and haven't looked back.

Went from Win-zip in 2001 to 7-zip, skipping WinRAR entirely. (I honestly just hated the WinRAR UI at the time)

 

[ganjo]

7zip has been free for over a decade. Zip compression has been built into windows since forever.

 

[Deleted member 678941]

This will not be the last time the we hear winrar & vulnerability in the same sentence. Glad i use 7zip & stopped using winrar a long time ago. I am not shocked either an apt is the one's utilizing this vuln.

 

[megaotis]

Wow that's disappointing about winrar. I used many moons ago. Before that WinZip but these days I use peazip. Seems to meet my needs.

 

[a_username_that_is_cool]

i use winrar because i forgot to download 7zip

 

[linuxares]

Wow that's disappointing about winrar. I used many moons ago. Before that WinZip but these days I use peazip. Seems to meet my needs.

Peazip is solid. It's apparently 7zip with a better GUI.

 

[console]

I just updated my WinRAR to 6.23 that fixed vulnerability.

I had 7-zip and use for many years since Windows XP to now.

I heard about Peazip is very nice and have support for all Windows, Linux and Mac OS.

Recommend update to WinRAR 6.23 and above should be fine.

 

[linuxares]

I just updated my WinRAR to 6.23 that fixed vulnerability.

I had 7-zip and use for many years since Windows XP to now.

I heard about Peazip is very nice and have support for all Windows, Linux and Mac OS.

Recommend update to WinRAR 6.23 and above should be fine.

Yepp! It was already fixed when the blog was posted. So it was just a "heads up, update please!" post
If you wanna continue to use Winrar I highly recommend anyone that use it to update to be secure!

 

[Dust2dust]

I thought it would be some kind of backdoor for password-protected files. This brought back old memories of installing Winrar when I was using Windows, and then registering with a keygen or something similar, just for the heck.

 

[Joom]

I thought it would be some kind of backdoor for password-protected files. This brought back old memories of installing Winrar when I was using Windows, and then registering with a keygen or something similar, just for the heck.

Funnily enough, you can use a keygen to license it under anything, including things like 7-Zip. The rar command line utility is the same piece of software across all operating systems and archive tools, and a Windows keygen will give you a valid key file. Just plop it somewhere rar can see it, and it'll accept it. Here it is on Linux:

> $ cat /etc/rarreg.key                                                                                             
RAR registration data
Joom
Unlimited Company License
UID=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%

> $ rar                                                                                                             

RAR 5.50   Copyright (c) 1993-2017 Alexander Roshal   11 Aug 2017
Registered to Joom

 

[Kwyjor]

I stick with IZArc, myself, but really I haven't needed to seriously compress anything in years.

 

[linuxares]

I stick with IZArc, myself, but really I haven't needed to seriously compress anything in years.

Me neither. I just unarchive mostly.

 

[Dust2dust]

Funnily enough, you can use a keygen to license it under anything, including things like 7-Zip. The rar command line utility is the same piece of software across all operating systems and archive tools, and a Windows keygen will give you a valid key file. Just plop it somewhere rar can see it, and it'll accept it. Here it is on Linux:

> $ cat /etc/rarreg.key                                                                                            
RAR registration data
Joom
Unlimited Company License
UID=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%

> $ rar                                                                                                            

RAR 5.50   Copyright (c) 1993-2017 Alexander Roshal   11 Aug 2017
Registered to Joom

I know it doesn't make a difference if it's registered or not, but I just tried with an old (like 10 years old) rarreg.key I had lying around, and it worked as you described. BTW, I wonder why they use such an old version by default on Linux. I upgraded while I was at it.

> $ rar

RAR 6.24   Copyright (c) 1993-2023 Alexander Roshal   3 Oct 2023
Registered to SeVeN

Usage:     rar <command> -<switch 1> -<switch N> <archive> <files...>
               <@listfiles...> <path_to_extract/>

 

[Joom]

BTW, I wonder why they use such an old version by default on Linux.

Licensing, if I had to guess. I imagine maintainers aren't a fan of maintaining it. For example, it's only available through the AUR on Arch. There is a FOSS version of the unrar utility, but it's kinda lacking, as it's essentially just a plugin/wrapper for libarchive.
https://gitlab.com/bgermann/unrar-free

 

[zamastyle]

Im with 7z. Now if windows would stop effing with the context menus...