WinRAR closes 19 year old security issue


#1

Originally published at: https://www.myce.com/news/winrar-closes-19-year-old-security-issue-86213/

Security researchers from Check Point have discovered a serious vulnerability in the popular WinRAR software. The vulnerability allowed attackers to copy malware into any folder on the computer or network share unnoticed. By copying the file into the startup folder of Windows, the malware would execute every time Windows started.


#2

wow 19 years of allowing hacker to view and have malware laden waiting for winrar and it takes them 19 years to fix it. That show they cared less about user then more about making money.


#3

To be fair, I think the last time I saw an ACE file was 19 years ago.


#4

unacev2.dll is a third party library. It seems almost everywhere I have read about the vulnerability it is conveniently ignored that other software also makes use of unacev2.dll (eg XnView). It’s as though the fault is entirely with WinRar. :scream_cat:


#5

7zip is a better alternative and completely free compared to WinRAR.


#6

Depend on what you do …

7-zip have better compression, but Winrar is better in compression vs. speed


#7

And 7-Zip can not add recovery record to an archive.


#8

Yep.

I use Winrar 4 since long years, the only thing I don´t like is it cannot unrar Winrar 5x-archives; but I need it only 1 time


#9

In WinRar 5 recovery has been much improved compared to WinRar 4 for anyone that needs it.


#10

From a quick check through the 7-Zip changelog, Winrar 5 support was added a few years ago:

15.06 beta 2015-08-09

  • 7-Zip now can extract RAR5 archives.

7-Zip is currently on version 19, which was just released (21st February).

Although .ace is not mentioned in 7-zip’s supported archive formats, it has no problem with a few ancient 18-year old files I found in an old backup:
7-zip%20ace%20file

Then again, 7-zip can open various other types of files that you may not realise are archives. For example, if you have a Microsoft Word .docx or Excel .xlsx file, you open it up in 7-zip, very useful for extracting images from a Word or Excel file.


#11

The one time I needed to extract a Winrar 5 archive the only free Tool was Bandizip. I think I saw in the last update they wrote something about fixing an ace vulnerability

Edit:

  • Stopped ACE archive format support due to vulnerability (CVE-2018-20250)

#12

Couldn’t agree more free and less headroom and does what it needs to get the job done. I left Winrar long time ago. I had used winzip and winrar in the past until I found 7zip.


#13

IMHO, 7Zip is a better program than WinRAR. I don’t use either program much (when it comes to Un*x systems, files/programs are often stored in .tar archives, as they store certain attributes Unx systems often need), but I much prefer both the 7Zip program and the *.7z format, if for no other reason than to preserve my own freedom.

I do have one gripe with 7Zip: RAR file support is implemented via a proprietary library. However, since I generally don’t work with RAR files anyway, I can avoid using the library in the first place. (On Ubuntu, the library is packaged separately, so you can use the program without the library.)