500 million users affected by WinRAR vulnerability – developers won’t fix

vbimport

#1

We’ve just posted the following news: 500 million users affected by WinRAR vulnerability – developers won’t fix[newsimage]http://static.myce.com//images_posts/2015/09/winrar-95x75.png[/newsimage]

A leak in the popular WinRAR software makes more than 500 miljoen users vulnerable an attack that allows cybercriminals to fully take control over the computer.

            Read the full article here: [http://www.myce.com/news/500-million-users-affected-by-winrar-vulnerability-developers-wont-fix-77441/](http://www.myce.com/news/500-million-users-affected-by-winrar-vulnerability-developers-wont-fix-77441/)

            Please note that the reactions from the complete site will be synched below.

#2

[QUOTE=DoMiN8ToR;2761394]We’ve just posted the following news: 500 million users affected by WinRAR vulnerability – developers won’t fix[/QUOTE]

Not only the fact that the developers won’t fix that flaw surprises me,but also that there are still so many users using WinRar as packer/unpacker while there are some good freeware alternatives around…
I wonder if those 500 million people are all paying customers…:bigsmile:


#3

I read the headline and my first thought was, “People are still using WinRAR?!?!?”


#4

Ok [I]dude[/I], what do you suggest as an alternative? WinRAR like WinZip is old technology but what out there do you think is better or just as good not including 7Zip.

This is a serious question (in case my wording suggests otherwise). :slight_smile:


#5

So a malicious user can create a self-extracting archive, which is an EXE file, that can contain malicious code when executed… exactly like EXE files created by malicious users in other ways.

So if someone else runs that EXE file from an untrusted source, they can be infected with something bad… exactly like when they run a malicious EXE file made in some other way.

I fail to see the real problem here, and it seems likely that it would help noone if the developers fixed this problem.


#6

[QUOTE=biggles77;2761404]Ok [I]dude[/I], what do you suggest as an alternative? WinRAR like WinZip is old technology but what out there do you think is better or just as good not including 7Zip.

This is a serious question (in case my wording suggests otherwise). :)[/QUOTE]
I would have suggested 7-zip, but for some reason you’ve excluded it from the pool of possible suggestions.


#7

[QUOTE=Stereodude;2761413]I would have suggested 7-zip, but for some reason you’ve excluded it from the pool of possible suggestions.[/QUOTE]

Neither I understand why,as it’s a great WinRar alternative…
Maybe PeaZip could be intersting…or Izarc…


#8

Scaremongering as usual is what I say…


#9

[QUOTE=biggles77;2761404]Ok [I]dude[/I], what do you suggest as an alternative? WinRAR like WinZip is old technology but what out there do you think is better or just as good not including 7Zip.
This is a serious question (in case my wording suggests otherwise). :)[/QUOTE]
This basically calls bias into question already…

[QUOTE=Stereodude;2761413]I would have suggested 7-zip, but for some reason you’ve excluded it from the pool of possible suggestions.[/QUOTE]
Excluding 7zip without any good facts tells everyone the previous poster is already bias towards 7zip already.

[QUOTE=MrScary;2761419]Scaremongering as usual is what I say…[/QUOTE]
This is what happens when they have nothing better to do but do their best to scare users.


#10

I never got on with Winrar, too complex for a simple file extraction. I don’t need a compressed archive, I guess that was when disc space was limited.
I rarely see a RAR download these days and there is usually an alternative.
Windows 7 has it’s own built in unzipper, that works fine. 7Zip was good for XP.


#11

7zip nor PeaZip nor Izarc are better alternatives to WinRar. WinRAr is faster at compression and decompression.


#12

[QUOTE=CharmedonWB;2761447]7zip nor PeaZip nor Izarc are better alternatives to WinRar. WinRAr is faster at compression and decompression.[/QUOTE]

Depends on user choice and priorities…I prefer free and multi-format support instead of paying 29.95 for a faster compression tool …:slight_smile:


#13

As alternatives, both PeaZip and 7-Zip seems immune to this issue: according to the vulnerability description the problem is the specific way WinRar handles the encoding of the self extracting archive’s “text and icon” part. Of course WinRar team is on the obvious safe side when they say no one should trust a wild exe from unknown source, but IMHO they should not being so easy about the fact their sfx procedure can be exploited to create malicious exe.


#14

[QUOTE=CharmedonWB;2761447]7zip nor PeaZip nor Izarc are better alternatives to WinRar. WinRAr is faster at compression and decompression.[/QUOTE]

[QUOTE=roadworker;2761448]Depends on user choice and priorities…I prefer free and multi-format support instead of paying 29.95 for a faster compression tool …:)[/QUOTE]

Couldn’t be more true but then again fanboys can’t admit WinRar is yesterdays technology…


#15

what has this to with winrar USERS? Â the problem is the self extracting .exe files that can be sent to anyone, anywhere.


#16

Winrar is a compression and decompression agent…no different from peazip, izarc or any other on the market. So the crack about yesterday’s technology is completely senseless. Please explain to me what those others can do that winrar cannot? As for the fanboy quip–you can take that back to your sony or nintendo forum because I honestly do not have the patience for that level of ignorance–thanks.


#17

[QUOTE=CharmedonWB;2761542] Please explain to me what those others can do that winrar cannot?[/QUOTE]

WinRar pack and unpack :
RAR
ZIP

WinRar browse/unpack :
CAB
ARJ
LZH
TAR
GZ and TAR.GZ
BZ2 and TAR.BZ2
ACE
UUE
JAR (Java Archive)
ISO (ISO9660 - CD image)
7Z
XZ
Z (Unix compress)

PeaZip pack and unpack :
7z[18] and 7z-SFX
FreeArc’s ARC/WRC[19]
bzip2: bz2, tar.bz2, tbz, tb2
gzip: gz, tar.gz, tgz
PAQ8 (F/JD/L/O),[20] LPAQ, ZPAQ
PEA
QUAD/BALZ
tar
WIM
xz
ZIP

PEAZIP browse/unpack :
ACE
ARJ
CAB
CHM
Compound File (e.g. MSI, DOC, PPT, XLS)
CPIO
deb
EAR
ISO image
JAR
LZMA
LZH
NSIS installers
OpenOffice’s OpenDocument
PET/PUP (Puppy Linux installers)
PAK/PK3/PK4
RAR including archives created with new RARv5 standard
RPM
SMZIP
U3P
WAR
XPI
Z (compress)
ZIPX

And IZArc has also it’s fair amount of supported formats :

@ the end,it’s all user’s choice or preferation…but I prefer any of those 2 above WinRar…:slight_smile:


#18

And after the over-reaction and brouhaha MalwayreBytes has issued an apology: https://blog.malwarebytes.org/news/2015/10/redaction-winrar-vulnerability/

[…]

We here at Malwarebytes take pride in our ability to find the latest threats that users face on daily basis and do our best to not only block and remove them with our products but also inform the general public about their danger through our blog.

[B]In a very few cases, we jump the gun in our efforts to explain a threat and end up posting information that hasn’t been thoroughly analyzed.

This is one of those cases.[/B]

[…]

[B]Users of WinRAR have nothing to worry about as they are not being targeted nor is the WinRAR product itself malicious or allowing malicious files to be run on the system[/B]. We have since removed our post on the subject.

[…]

The sky is no longer falling. The WinRAR developers aren’t *******s. The vulnerability wasn’t in WinRAR. Never was.


#19

[QUOTE=DrinkLyeAndDie;2761758]And after the over-reaction and brouhaha MalwayreBytes has issued an apology: https://blog.malwarebytes.org/news/2015/10/redaction-winrar-vulnerability/
The sky is no longer falling. The WinRAR developers aren’t *******s. The vulnerability wasn’t in WinRAR. Never was.[/QUOTE]
Like people are going to believe that…it’s like those famous words “Trust us we know what we are doing”…right… WinRar is old software…7zip works and does a better job then what WinRar does and I use 7zip for .zip or 7z. Winrar is a lost cause. Also it’s free and does what it does better.


#20

[QUOTE=coolcolors;2761763]Like people are going to believe that…it’s like those famous words “Trust us we know what we are doing”…right… WinRar is old software…7zip works and does a better job then what WinRar does and I use 7zip for .zip or 7z. Winrar is a lost cause. Also it’s free and does what it does better.[/QUOTE]

Why such a caustic response?

While the vulnerability did indeed affect something produced by WinRar, it only exploited a feature available on WinRar as well as other software. It is a very reasonable response to say “Hey, we blamed them for their software. It’s not actually the software’s fault; the software itself isn’t compromised.”

Yes, the people behind the software can patch it so there’s no chance to run this particular code, buuuuuuut….

As stated earlier, any self-extracting archive can be compromised, if only because you are still running a program and you have to know what you’re downloading BEFORE you download it and run it. You could make an archive that appears to be encrypted so no one can validate its contents, only to have it infect your computer. It’s actually not a huge deal that this specific vulnerability exists.