WinRAR Flaw Let Hackers Run Programs When Opening RAR Files, Patch Issued

WinRAR flaw
(Image credit: WinRAR)

Venerable shareware archiving app WinRAR has recently been patched to fix an alarming flaw. The update to WinRAR version 6.23, spotted by Bleeping Computer, fixes the vulnerability to the high-severity CVE-2023-40477. In brief, earlier versions of WinRAR were vectors for running a program (arbitrary code execution) if an attacker could tempt the user to open a specially crafted RAR file.

If we look at the Zero Day Initiative's description of the now-patched WinRAR flaw, it explains the following:

  • The vulnerability allowed remote attackers to execute arbitrary code,
  • The flaw was due to the program's handling of recovery volumes,
  • The flaw stemmed from the application's improper validation of user-supplied data,
  • This meant hackers could access memory beyond the end of an allocated buffer for their dastardly deeds, but…
  • Importantly, a user would have to visit a disguised malicious page or open a file to fall victim to hackers.

(Image credit: Zero Day Initiative)

Security researcher "goodbyeselene" is credited with discovering the WinRAR flaw described in CVE-2023-40477. They reported the vulnerability to WinRAR developers in early June. News of the flaw was published (August 17) several days after version 6.23 had become available for users to download (August 2), so that people had plenty of time to update.

In the WinRAR v6.23 release notes we see CVE-2023-40477 described as "a security issue involving out of bounds write is fixed in RAR4 recovery volumes processing code." However, it doesn't look like it was the only vulnerability squashed, as v6.23 also could be steered to "start a wrong file," after a user double clicked an item in a specially crafted archive.

Is WinRAR Doomed?

Back in May, we covered the news that Windows would be adding native RAR support in a future update - similar in the way to how it currently handles .zip files. This Windows 11 File Explorer enhancement is delivered thanks to the folding-in of open-source project libarchive. With libarchive integration, Windows should be able to (de)compress many more archives like lha, pax, tar, tgz, and 7z formats. Though devs/testers can dabble with native RAR support now, it is only expected to arrive for mass consumption starting from next month.

WinRAR has put a brave face on the fact that Windows 11 is soon to get integrated support for this popular archiving format. Of course, a Windows integrated RAR archive context menu isn't going to replace a fully featured app like WinRAR and all its archive processing options.

Mark Tyson
News Editor

Mark Tyson is a news editor at Tom's Hardware. He enjoys covering the full breadth of PC tech; from business and semiconductor design to products approaching the edge of reason.

  • hotaru251
    what is the benefit to using winrar over say 7zip?

    i just always used 7z for many yrs and never cared if there was a benefit to using winrar.
    Reply
  • RichardtST
    I'm shocked! Shocked I tell you! Well, OK, not that shocked...
    Reply
  • hotaru251
    RichardtST said:
    I'm shocked! Shocked I tell you! Well, OK, not that shocked...
    @WinRAR_RARLAB on twitter (i dont care what a manchild wants to call it) they tweet when ppl buy it.

    and it happens lot mroe than peopel would assume.
    was buyer on 18th & the 16th of AUG for example.
    Reply
  • BogdanH
    hotaru251 said:
    what is the benefit to using winrar over say 7zip?
    ...
    In my experience, for average home user it doesn't matter much which one you prefer to use -they both work and I have installed both.
    I mostly use WinRAR because it has more "friendly" UI (for compression and other settings) and it also can compress/decompress zip files and decompress 7-zip files... which makes it kinda universal.
    On the other hand, 7-zip can open/extract some additional formats (ISO, wim, etc.)
    If you compress big amount (GB's) of files then depending on content of files, sometimes 7-zip is better compressor and sometimes rar is better... means, if you repeatedly compress big amount of the same type of data, then it's worth to check which of these two does better job for you (so you can save some storage space).
    Other than that, my impression is, that 7-zip is faster at decompression -again only maybe important at big amount of data. On the other hand, I think WinRAR gives user more control over compression settings -to save as much space as possible.
    In summary: it's a personal choice :)
    Reply
  • derekullo
    BogdanH said:
    In my experience, for average home user it doesn't matter much which one you prefer to use -they both work and I have installed both.
    I mostly use WinRAR because it has more "friendly" UI (for compression and other settings) and it also can compress/decompress zip files and decompress 7-zip files... which makes it kinda universal.
    On the other hand, 7-zip can open/extract some additional formats (ISO, wim, etc.)
    If you compress big amount (GB's) of files then depending on content of files, sometimes 7-zip is better compressor and sometimes rar is better... means, if you repeatedly compress big amount of the same type of data, then it's worth to check which of these two does better job for you (so you can save some storage space).
    Other than that, my impression is, that 7-zip is faster at decompression -again only maybe important at big amount of data. On the other hand, I think WinRAR gives user more control over compression settings -to save as much space as possible.
    In summary: it's a personal choice :)
    If you are that focused on compressing files you can use Xigmanas or Freenas to create a dataset with gzip or lz4 compression.
    With that setting the compression is automatically done (inline compression) when you copy the file to storage.
    Reply