WinRAR Flaw Lets Hackers Run Programs When You Open RAR Archives - Slashdot
source link: https://it.slashdot.org/story/23/08/18/2157249/winrar-flaw-lets-hackers-run-programs-when-you-open-rar-archives
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
WinRAR Flaw Lets Hackers Run Programs When You Open RAR Archives
Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!
binspamdupenotthebestofftopicslownewsdaystalestupid freshfunnyinsightfulinterestingmaybe offtopicflamebaittrollredundantoverrated insightfulinterestinginformativefunnyunderrated descriptive typodupeerror
Do you develop on GitHub? You can keep using GitHub but automatically sync your GitHub releases to SourceForge quickly and easily with this tool so your projects have a backup location, and get your project in front of SourceForge's nearly 30 million monthly users. It takes less than a minute. Get new users downloading your project releases today!
RARLAB released WinRAR version 6.23 on August 2nd, 2023, effectively addressing CVE-2023-40477. Therefore, WinRAR users are strongly advised to apply the available security update immediately. Apart from the RAR4 recovery volumes processing code fix, version 6.23 addresses an issue with specially crafted archives leading to wrong file initiation, which is also considered a high-severity problem.
-
›
I'll be here all night, don't forget to tip your server!
-
ZIP had to be settled on long ago as a professional and only choice of archiving.
-
ZIP is the choice of amateurs not professionals.
-
Zip? The hallmark of the true amateurs that mistake themselves for "professionals"....
-
Then go for your WinRAR from ruZZia with love.
-
It's all 7z now. Why would you use RAR today? And by extension, why would you use WinRAR when you can use 7zFM?
-
OK, here is the way I think over it:
1. Particular speed/size wins, you might be advocating by pointing to another archive form, are not essential when performance and space are very much secondary concern nowadays
2. Software, coming from particular countries, is of much bigger concern
3. I do believe, that integral part of the OS, serving the needs of archiving and extracting, is proper engineering design and correctly assigned responsibility - as such, it's all about ZIP
4. When working on clients' computers
-
-
-
-
Lol, no! Zip is convenient for home use, but not for serious IT work. For example - filename encoding standard adherence is "we do whatever we like and you can not guess what it will be". And filename is located two places, sometimes differing. Errorreporting sometimes is at correct level, sometimes not. It is not the worst to work with, but some time wasted will inevitably go up. Heck no with zip!
-
We have other fleet of compression/packing utilities "for serious IT work" on "serious OSes". In the context of the discussed article, we are covering application of WinRAR - which is for not serious OS, exists not for serious reasons, as historical possibility to split large archives into chunks of floppy disks (assuming they have no bad sectors). Please do not portray yourself high flight professional, if you are not ready to accept limited domain of this discussion professionally.
-
-
-
7z is as good as (if not better than) Rar and it's free and open unlike the proprietary Rar format.
-
7z is generally slow AF. xz is too. tar cf foo.tar.zstd --use-compress-program zstd.....
-
-
I only use WinRAR on DOS or Windows = XP for retro warez, and mostly use macOS and Linux, so I guess I'm not the best target.
-
I know I'm the odd man out here, but WinRAR has a few things that are unique, and with the way I use it, the vulnerability isn't really an issue. And yes, I have registered it, 1+ copy for every machine.
1: The recovery records are a nice thing to have for long term archiving. I have pulled files from 20+ years ago, and even with damage to archives, because I used recovery records, I was able to completely recover the contents. Yes, I could use PAR2, but PAR2 support requires a lot more hoops to jump through than WinRAR.
2: The archive segmentation and recovery volumes are nice.
3: It is easily used via a cron job for backups, and it offers good compression as well as deduplication, around the level of 7Zip if I choose to use solid archives, but I prefer trading size for a bit more recoverability, so I don't use solid archives, and add a 3-5% recovery record.
4: It has decent AES encryption.
5: Every unarchiver supports it. The unrar source code is, IIRC, freely available, so opening a WinRAR archive is easy.
Overall, it works well for a nightly backup program, once you get used to the command line, and is ideal for long term archives because it can not just detect CRC errors (especially if BLAKE2 is enabled), but perhaps repair them.
-
more like a feature.
-
This is nothing more than a simple buffer flow, of the type I'd have thought had been eliminated long ago. All you need to do to avoid it is use bounds checking to make sure that your input strings aren't bigger than your buffer or, if you prefer, use input functions and string manipulation functions that have the maximum number of bytes accepted as an argument/parameter, instead of those that don't. If you can't input (or have read in from a file) an arbitrary number of bytes, you can't create a buffer o
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK