Source: securityboulevard.com – Author: Richi Jennings
Fix for CVE-2023-40477 now available.
Good old WinRAR has a serious security hole. If you still have it installed, get the update (or just uninstall).
Do what you want, because you are free. In today’s SB Blogwatch, we’re sailing away (adventure waits on every shore).
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Optimism.
Even if You Are not a Pirate
What’s the craic? Bill Toulas reports—“Flaw lets hackers run programs when you open RAR archives”:
“Keep the software updated”
A high-severity vulnerability has been fixed in WinRAR, the popular file archiver utility for Windows used by millions, that can execute commands on a computer simply by opening an archive. The flaw is tracked as CVE-2023-40477 and could give remote attackers arbitrary code execution.
…
Deceiving users into … opening an archive … shouldn’t be overly challenging. … Given the vast size of WinRAR’s user base, attackers have ample opportunities for successful exploitation.
…
Keep the software updated, as similar flaws in the past were abused by hackers to install malware. Apart from that, being cautious with what RAR files you open … would be a good security measure.
Want more info? Sofia Elizabella Wyciślik-Wilson’s got you covered—“Update WinRAR right now”:
“Addressed in WinRAR 6.23”
CVE-2023-40477 … was discovered back in June. … Two months on, the issue has been fixed, but users of the software will have to ensure that they have the latest update installed.
…
With the release of WinRAR 6.23 final, RARLAB has addressed the bug. … This is not the only security issue addressed in WinRAR 6.23; there is also a fix for a bug that can cause WinRAR to start a wrong file.
WinWHATNOW? u/tunelul’s Shift key is broken:
the company i’m working for mass-removed winrar from all computers since the previous security bug lol. that was a few years ago.
WinRAR, how do I love thee? ctilsie242 counts the ways:
Am I one of the few people who uses WinRAR? [It] has a few things that are unique, and with the way I use it, the vulnerability isn’t really an issue. And yes, I have registered it … for every machine.
1: The recovery records are a nice thing to have for long term archiving. I have pulled files from 20+ years ago, and even with damage to archives, because I used recovery records, I was able to completely recover the contents. …
4: It has decent AES encryption.
5: Every unarchiver supports it.
I guess we should switch to 7-Zip, right? Wrong, thinks Mishak:
Have you ever looked at the source code for 7-Zip? It may “work”, but there’s no way I would want to generate the test vectors for it. It does have some comments, but mainly commented-out code.
…
One of the functions is something like 1500 lines long, and includes a number of potentially-infinite nested loops. Still, it seems to do the job if you can ignore the fact that it may have similar security vulnerabilities.
But which is better? BogdanH is all about the nuance:
It doesn’t matter much which one you prefer to use—they both work and I have installed both. I mostly use WinRAR because it has more “friendly” UI … and it also can compress/decompress zip files and decompress 7-Zip files.
…
On the other hand, 7-Zip can open/extract some additional formats. … Sometimes 7-zip is better compressor and sometimes rar is better. … 7-Zip is faster at decompression [but] WinRAR gives user more control over compression settings, to save as much space as possible.
I’m sure I read something about .rar recently. AmiMoJo reminds us:
Windows 11 is getting … native support for 7zip and RAR files. I think both GNOME and KDE support it by default.
Meanwhile, Yet Another Anonymous coward snarks it up:
But how will I install special_cracked_game.exe?
And Finally:
John D. Boswell’s triumphant return
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: ambex/amebix
Recent Articles By Author
Original Post URL: https://securityboulevard.com/2023/08/lol-winrar-serious-one-click-bug-patch-now/
Category & Tags: Application Security,AppSec,Cybersecurity,Data Security,Deep Fake and Other Social Engineering Tactics,Editorial Calendar,Endpoint,Featured,Governance, Risk & Compliance,Humor,Identity & Access,Incident Response,Insider Threats,Malware,Most Read This Week,News,Popular Post,Ransomware,Security at the Edge,Security Awareness,Security Boulevard (Original),Security Challenges and Opportunities of Remote Work,Social Engineering,Spotlight,Threats & Breaches,Vulnerabilities,Zero-Trust,7-Zip,archive,RAR files,SB Blogwatch,WinRAR – Application Security,AppSec,Cybersecurity,Data Security,Deep Fake and Other Social Engineering Tactics,Editorial Calendar,Endpoint,Featured,Governance, Risk & Compliance,Humor,Identity & Access,Incident Response,Insider Threats,Malware,Most Read This Week,News,Popular Post,Ransomware,Security at the Edge,Security Awareness,Security Boulevard (Original),Security Challenges and Opportunities of Remote Work,Social Engineering,Spotlight,Threats & Breaches,Vulnerabilities,Zero-Trust,7-Zip,archive,RAR files,SB Blogwatch,WinRAR
