The big picture: Despite being marketed as “trialware” software, WinRAR continues to be one of the most popular programs for file archiving routines. If a dangerous security flaw is found, Rarlab’s tool could be employed in malicious campaigns with ease.
Zero Day Initiative (ZDI) recently discovered a high-severity vulnerability in WinRAR, the Windows-only application developed by Eugene Roshal for managing RAR archives. Tracked as CVE-2023-40477, the bug is described as an improper validation of array index while processing recovery volumes. In the worst-case scenario, the flaw could be exploited to execute arbitrary (malicious) code from remote locations.
The CVE-2023-40477 vulnerability has a 7.8 severity rating, as it requires user interaction to perform its malicious deeds. The bug stems from what seems like a classic buffer overflow issue, with a lack of proper validation of user-supplied data that can result in a memory access event past the end of an allocated buffer. An attacker could exploit this condition to execute code in the context of the current process, ZDI warns.
The vulnerability discovery is credited to “goodbyeselene,” and ZDI disclosed its existence to Rarlab in June. The coordinated public release of the security advisory happened in the past few days, just a couple of weeks after Rarlab finally fixed the bug with its latest WinRAR update.
WinRAR 6.23, which was released on August 2, 2023, contains a security fix for an issue involving “out of bounds write” instances in the recovery volumes processing code of the older RAR4 archive format. Rarlab acknowledged research efforts from goodbyeselene and Trend Micro’s ZDI, even though it took the company two months to close a potentially very dangerous security vulnerability.
Other improvements brought by the WinRAR 6.23 release include extraction capabilities for XZ archives (using ARM64 filter), a more secure management of Rar$LS* temporary files, bugfixes for other security flaws, file system metadata management, and more. WinRAR is sold as a “trialware” product, which means that users can test the program for no more than 40 days. After trial expiration, however, the program will continue to work with its enterprise features locked.
RAR archives are likely destined to become even more popular in the coming months and years, as Microsoft is currently testing native support for the format (plus 7-Zip and GZ files) on Windows 11. Rarlab already provides a copyrighted, albeit freeware version of the C++ source code of UnRAR, its command-line archive unpacker tool.
