Google warned to update WinRAR due to security vulnerabilities, citing potential exploit from government-backed hackers

[KeradSnake]

Summary

Today, Google Threat Analysis Group (TAG) posted in their blog about WinRAR security vulnerabilities that were already been exploited by government-backed hackers since early 2023. According to Google's TAG, the vulnerability allows attackers to execute arbitrary code when a user attempts to view a benign file (as an example, image files, particularly PNG) within a ZIP archive. So far it has been reported that the security hole has been used to target cryptocurrency trading accounts since April 2023, with another reports from security researcher Group-IB saying that there are 130 devices infected (mostly traders' devices) at the time the finding was posted back in August 2023, with total number still remains unknown to this very second. WinRAR already issued the patch in versions 6.24 and 6.23, but users have to manually install those versions in order for the app to be updated as WinRAR still doesn't have automatic updates even today.

 

Quotes

Quote

In recent weeks, Google’s Threat Analysis Group’s (TAG) has observed multiple government-backed hacking groups exploiting the known vulnerability, CVE-2023-38831, in WinRAR, which is a popular file archiver tool for Windows. Cybercrime groups began exploiting the vulnerability in early 2023, when the bug was still unknown to defenders. A patch is now available, but many users still seem to be vulnerable. TAG has observed government-backed actors from a number of countries exploiting the WinRAR vulnerability as part of their operations. [...]

 

In August 2023, RARLabs released an updated version of WinRAR that included fixes for several security-related bugs. One of those bugs, later assigned CVE-2023-38831, is a logical vulnerability within WinRAR causing extraneous temporary file expansion when processing crafted archives, combined with a quirk in the implementation of Windows’ ShellExecute when attempting to open a file with an extension containing spaces. The vulnerability allows attackers to execute arbitrary code when a user attempts to view a benign file (such as an ordinary PNG file) within a ZIP archive. (Google TAG)

Quote

“A patch is now available, but many users still seem to be vulnerable,” says TAG in a blog post detailing the WinRAR exploit. “TAG has observed government-backed actors from a number of countries exploiting the WinRAR vulnerability as part of their operations.” WinRAR versions 6.24 and 6.23 both include a fix for the security hole, but the app doesn’t update automatically, so you’ll have to manually download and install the patch. That’s right, it’s 2023, and one of the most popular Windows apps still doesn’t have an auto-update feature. [...]

 

The exploit has also been used to target cryptocurrency trading accounts since April 2023. “The widespread exploitation of the WinRAR bug highlights that exploits for known vulnerabilities can be highly effective, despite a patch being available,” says TAG. “These recent campaigns exploiting the WinRAR bug underscore the importance of patching and that there is still work to be done to make it easy for users to keep their software secure and up-to-date.” (The Verge)

 

My thoughts

With ZIP bomb being a thing I don't think I'd see anyone not updating WinRAR or 7zip but welp, I guess there's still people using older version of WinRAR. Yes, 7zip exists but if you really, really want to use WinRAR for some reason, regularly check the update in their website, since they literally don't have auto updates to this very second. Heck, 7zip doesn't have auto updates, so you have to check updates regularly as well if you use it. Now I don't know why they don't provide auto update feature at all, and I'm aware of Chocolatey can be used to configure the auto update, but why?

 

Sources

https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/

https://www.theverge.com/2023/10/18/23922075/winrar-security-vulnerability-exploit-patch-update

https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/

 

[Senzelian]

I hope WinRAR's servers can handle their entire customer base of 4 people downloading the new version.

[KeradSnake]

1 minute ago, Senzelian said:

I hope WinRAR's servers can handle their entire customer base of 4 people downloading the new version.

lmao

 

*wait what's wrong with their customer service server is it really hilariously bad

[Zodiark1593]

55 minutes ago, KeradSnake said:

lmao

 

*wait what's wrong with their customer service server is it really hilariously bad

Not necessarily, but when considering the free and open source competition (namely 7-Zip), it makes little sense to purchase WinRAR. So it would be believable that their servers don’t see a lot of activity. 

[StDragon]

3 hours ago, Zodiark1593 said:

Not necessarily, but when considering the free and open source competition (namely 7-Zip), it makes little sense to purchase WinRAR. So it would be believable that their servers don’t see a lot of activity. 

It also makes little sense to install 7-Zip too once Win10 is phased out; because it's now native to Win11. 

[Mark Kaine]

27 minutes ago, StDragon said:

It also makes little sense to install 7-Zip too once Win10 is phased out; because it's now native to Win11. 

welp, time to look for an alternative...

[StDragon]

You can still install 7-Zip, and I recommend doing so if you're going to be creating the archives; it provides many options to optimize for both speed and size (there's always tradeoffs when fiddling around with them). But with Win11, the end-user (file recipient) just has to open the file like any other ZIP via double-click.

[KeradSnake]

15 minutes ago, StDragon said:

It also makes little sense to install 7-Zip too once Win10 is phased out; because it's now native to Win11. 

JAR, GZIP, CAB, IMG, IMA, 7Z that isn't executable. What about those? Those are not native to Windows even if Windows do recognize some of the kind of files they are, and in order to create those (even something like ISO) they need a specific app for that

 

Even average users someday will probably have to deal with those archive files or other ones, don't know what kind of things people would do that they have to deal with other archive formats, but they will face that situation regardless. Telling people that it makes little sense to install 7zip just because two archive formats are going to be natively supported on Windows isn't a good move

[StDragon]

2 hours ago, KeradSnake said:

Telling people that it makes little sense to install 7zip just because two archive formats are going to be natively supported on Windows isn't a good move.

Not just a good move, a great move. Two facts to keep in mind.

• Most content is consumed, rather than created, by your average Windows user. For consumption, ease of use is preferred; that means simplicity of doing nothing more than download and double-clicking on the attachment to open the archive (just like it is with ZIP files).
• One less app to install. That means a reduced surface of attack vector that goes unpatched. Most users don't keep up with 3rd party updates. But most do patch their OS on a monthly basis. That said, there's still people out there that lag behind in doing something as simple as that.

[Kisai]

6 hours ago, Zodiark1593 said:

Not necessarily, but when considering the free and open source competition (namely 7-Zip), it makes little sense to purchase WinRAR. So it would be believable that their servers don’t see a lot of activity. 

7-zip works for everything except foreign characters. For that, WinRAR and BandiZip are the only programs that handle foreign characters correctly. UTF-8 is fine, but many foreign computers (eg Japanese ones in particular) still don't use Unicode filenames, but use Shift-JIS, and Russian systems still tend to use KOI8-R

 

As for why 7-zip, I don't remember, I just recall the developer basically being saying no. So I use an old version of Bandizip to open the files if 7-zip shows garbage as filenames.

 

BTW, RAR evolved out of ZIP, because ZIP has no proper disk spanning (all zip files in a set are still ".zip"), where as RAR was immensely popular with backup and ... alt binaries piracy. Usenet pirates would break programs and games up into 1.4MB chunks and then those chunks would be broken up into 8K-32K uuencoded messages. 

 

We've come a long ways from what RAR actually made necessary. Most software has gone back to single ZIP files if they fit on 4GB DVD's. Anything that spans a DVD still goes into the archive-spanning.

 

[porina]

11 hours ago, StDragon said:

It also makes little sense to install 7-Zip too once Win10 is phased out; because it's now native to Win11. 

What is native in Win11? Zip support has been around since Win10. What did Win11 bring?

 

 

 

On the comment about 7-zip not updating, I plead guilty there. My install was 4 years old.

[jagdtigger]

3 minutes ago, porina said:

Zip support has been around since Win10. What did Win11 bring?

Its even older than that:

 

[porina]

5 minutes ago, jagdtigger said:

Its even older than that:

My memory before Win10 is fading. 

 

A quick trip to wikipedia:

Quote

Microsoft has included built-in ZIP support (under the name "compressed folders") in versions of Microsoft Windows since 1998 via the "Plus! 98" addon for Windows 98. Native support was added as of the year 2000 in Windows ME.

https://en.wikipedia.org/wiki/ZIP_(file_format)

[Kisai]

2 hours ago, porina said:

My memory before Win10 is fading. 

 

A quick trip to wikipedia:

https://en.wikipedia.org/wiki/ZIP_(file_format)

It has some context problems. Yes you could "open a zip file" but the way it was opened in win98 was treated like a regular folder (Zip folders), but only if you installed the Plus pack.

https://smallvoid.com/article/windows-compressed-folders.html

 

You can install it on Win95, 98 and NT4

 

So, YES, but only if you had the pack installed.

 

ME and XP had it out of the box. It's pretty much worked like "native folders" ever since, but if you try to run something out of the zip it prompts you to extract all.

 

 

[StDragon]

15 hours ago, porina said:

What is native in Win11? Zip support has been around since Win10. What did Win11 bring?

Native 7-Zip (aka, 7z for short) is new to Windows 11. Native ZIP to Windows has been around for well over 20+ years displacing the need for the dedicated WinZIP program.

[porina]

5 hours ago, StDragon said:

Native 7-Zip (aka, 7z for short) is new to Windows 11. Native ZIP to Windows has been around for well over 20+ years displacing the need for the dedicated WinZIP program.

Thanks, I was unaware of that. I've always installed 7-Zip on my systems since it's shell integration is nicer to use than the built in Windows implementation. This may be in part why I struggled to remember which version of Windows had what.

[Stahlmann]

On 10/19/2023 at 1:16 AM, KeradSnake said:

Even average users someday will probably have to deal with those archive files or other ones

"Someday". Remember that everyone using a tech forum can probably already be counted towards the 1% of power users. Most people will never have to deal with anything else than opening a .zip or .rar archive.

 

On 10/19/2023 at 1:16 AM, KeradSnake said:

JAR, GZIP, CAB, IMG, IMA, 7Z

.7Z is the only format out of these i've used over the last 2 years. In my prime Minecraft days i also needed to work with .JAR files but other than that these format aren't really applicable to the "general user", which is why most people won't need anything else that what is already built into W11. Nowadays even Minecraft and even modding the game doesn't need editing .JAR files anymore.

 

So unless you have to create compressed archives, there is practically no need to install WinRAR or 7Zip for a normal end-user.

[LAwLz]

On 10/19/2023 at 12:34 AM, StDragon said:

It also makes little sense to install 7-Zip too once Win10 is phased out; because it's now native to Win11. 

On 10/19/2023 at 12:08 PM, porina said:

What is native in Win11? Zip support has been around since Win10. What did Win11 bring?

On 10/20/2023 at 3:56 AM, StDragon said:

Native 7-Zip (aka, 7z for short) is new to Windows 11. Native ZIP to Windows has been around for well over 20+ years displacing the need for the dedicated WinZIP program.

I think there is some confusion in this thread.

Up until very recently, Windows 10 and Windows 11 were identical in terms of archival format support. Which is to say, extremely limited and painfully slow. Seriously, it hadn't really been updated since ~2000 (except adding unicode support), and even by 90's standards, the code was pretty awful. It is extremely slow and buggy.

 

As explained in this excellent blog post, extracting that particular ZIP file took 30 minutes using the built-in Windows tools.

It took less than half a second using 7-zip.

 

The built-in zip function does not support encryption either.

 

 

In the latest Windows 11 update, which was released like a few weeks ago, Microsoft updated the functions for archive formats in Windows.

It now uses libarchive instead of some proprietary library written in 1998 by a third-party firm for Microsoft. As a result, it now supports a long list of formats and features. 

Assuming it is the full libarchive that is being used and not some Microsoft-specific fork, Windows 11 on the latest update supports basically all archive formats on the planet.