Venerable shareware archiving app WinRAR has recently been patched to fix an alarming flaw. The update to WinRAR version 6.23, spotted by Bleeping Computer, fixes the vulnerability to the high-severity CVE-2023-40477. In brief, earlier versions of WinRAR were vectors for running a program (arbitrary code execution) if an attacker could tempt the user to open a specially crafted RAR file.
If we look at the Zero Day Initiative’s description of the now-patched WinRAR flaw, it explains the following:
- The vulnerability allowed remote attackers to execute arbitrary code,
- The flaw was due to the program’s handling of recovery volumes,
- The flaw stemmed from the application’s improper validation of user-supplied data,
- This meant hackers could access memory beyond the end of an allocated buffer for their dastardly deeds, but…
- Importantly, a user would have to visit a disguised malicious page or open a file to fall victim to hackers.
Security researcher “goodbyeselene” is credited with discovering the WinRAR flaw described in CVE-2023-40477. They reported the vulnerability to WinRAR developers in early June. News of the flaw was published (August 17) several days after version 6.23 had become available for users to download (August 2), so that people had plenty of time to update.
In the WinRAR v6.23 release notes we see CVE-2023-40477 described as “a security issue involving out of bounds write is fixed in RAR4 recovery volumes processing code.” However, it doesn’t look like it was the only vulnerability squashed, as v6.23 also could be steered to “start a wrong file,” after a user double clicked an item in a specially crafted archive.
Is WinRAR Doomed?
Back in May, we covered the news that Windows would be adding native RAR support in a future update – similar in the way to how it currently handles .zip files. This Windows 11 File Explorer enhancement is delivered thanks to the folding-in of open-source project libarchive. With libarchive integration, Windows should be able to (de)compress many more archives like lha, pax, tar, tgz, and 7z formats. Though devs/testers can dabble with native RAR support now, it is only expected to arrive for mass consumption starting from next month.
WinRAR has put a brave face on the fact that Windows 11 is soon to get integrated support for this popular archiving format. Of course, a Windows integrated RAR archive context menu isn’t going to replace a fully featured app like WinRAR and all its archive processing options.