Just don’t use WinRAR, OK?

Topic

New Reply

I’ve been trying to avoid this topic, but it now appears to be engulfing the blogosphere. If you use WinRAR, you were suckered. I’ve never recommended
[See the full post at: Just don’t use WinRAR, OK?]

4 users thanked author for this post.

abbodi86, Morty, GreatAndPowerfulTech

Reply | Quote

Replies

While 7-zip can open RAR files, it can’t create them on its own without WinRAR (or the original command line RAR) installed. This is true of any program, due to the RAR license. So people who actually make RAR files  keep WinRAR for that.

However, it appears to me that they could just keep the rar.exe file and get rid of the rest of WinRAR. All they’d have to do is point 7-zip to the rar.exe file.

Reply | Quote

For anyone who wants to keep their current version of WinRAR, it should only be necessary to delete UNACEV2.DLL from the WinRAR program folder, as shown in the ghacks.net fix.

Reply | Quote

…delete UNACEV2.DLL or rename the file.
Total Commander also uses UNACEV2.DLL.

Remember to delete/rename from your system backups as well.

Reply | Quote

UNACEV2.DLL doesn’t exist in my WinRAR 5.70 installation.

In “C:\Program Files\WinRAR\WhatsNew.txt”, they have this note:

21. Nadav Grossman from Check Point Software Technologies informed us
about a security vulnerability in UNACEV2.DLL library.
Aforementioned vulnerability makes possible to create files
in arbitrary folders inside or outside of destination folder
when unpacking ACE archives.
WinRAR used this third party library to unpack ACE archives.
UNACEV2.DLL had not been updated since 2005 and we do not have access
to its source code. So we decided to drop ACE archive format support
to protect security of WinRAR users.
We are thankful to Check Point Software Technologies for reporting
this issue.

So does this mean 5.70 is safe? Are my old .RAR files safe?

2 users thanked author for this post.

Fred, lmacri

Reply | Quote

Sparkwell3000The file has been removed in 5.70.

1 user thanked author for this post.

Fred

Reply | Quote

So does this mean 5.70 is safe? Are my old .RAR files safe?

Yep, it sure does! That goes for both questions.

That vulnerability was only “exposed” if you were to use WinRAR with a version number below 5.70 (or possibly another compressed file viewer/extractor that uses unacev2.dll) to open a file compressed with the ACE method.
However, as pointed out in other posts, just because a compressed file’s name ends with something besides “.ACE” doesn’t mean it wasn’t compressed with that method when it was created. That’s one thing that’s making this vulnerability particularly troublesome.

1 user thanked author for this post.

Sparkwell3000

Reply | Quote

“UNACEV2.DLL doesn’t exist in my WinRAR 5.70 installation.”

The file has been removed in 5.70 as part of the fix.

 

1 user thanked author for this post.

Sparkwell3000

Reply | Quote

Windows has a built-in option to right-click and extract the files without a separate third-party application.  However, I do like to just double-click on a file, so I prefer Bandizip Free.  Unlike 7-zip, I can set the options to just quietly unzip and open the folder without having an open window to close. It saves a tiny amount of time and, personally, aggravation.  I can also set it to preview files and save in .7z by default.

7-zip and Peazip are alternatives, but they leave an open window and are not integrated as well as a right-click on a file; therefore, they don’t increase my productivity at all.

Reply | Quote

Actually 7-Zip does integrate into your right click option context menu.  But you have to turn it on after installing.

Run as Admin the 7-Zip File Manager (from the Windows start menu)

Select Tools, then Options, and select the 7-Zip tab.

Check the options “Integrate 7-Zip to shell context menu” and Apply.

 

Viola!

~ Group "Weekend" ~

1 user thanked author for this post.

Microfix

Reply | Quote

It’s like all programs/ utilities, dig into the settings/ configs to get what one wants and how one would like it presented during/ after installation.
Tip: always do a custom install and check for unecessary tickbox junkware and don’t assume default is the best option.

Windows - commercial by definition and now function...

1 user thanked author for this post.

SueW

Reply | Quote

Unfortunately according to the agreement only two ways Bandizip can not phone home, is never installing the software or blocking the outbound traffic.

Reply | Quote

would not updating to WinRAR v5.70 also sort the issue out?

1 user thanked author for this post.

Fred

Reply | Quote

It doesn’t solve the $29 price tag issue.

We should be past the point of someone profiting off a simple compression algorithm that they wrote 25+ years ago.

Reply | Quote

Most seem to have been able to update without further payment, and they do offer help for a lost registration key:
https://www.win-rar.com/lostkey.html.

Reply | Quote

Can Windows 10 still open very old cabinet files that use LZX compression?

Reply | Quote

Those software authors have a right to request payment for their works. I do wonder if we have paid Microsoft their for inclusion of older compression algorithms used during servicing of windows or for opening an old cabinet file.

Reply | Quote

Since the ACE exploit puts malware into startup folder, the recently recommended Safe Startup app should also let you know if something nefarious has appeared in this folder. Not a solution to the problem, but still an extra line of defence for any exploit that works this way.

Reply | Quote

arfurdent wrote:

would not updating to WinRAR v5.70 also sort the issue out?

That is also what I understood. Can anyone confirm if version 5.70 solves the problem?

Reply | Quote

arfurdent wrote:

would not updating to WinRAR v5.70 also sort the issue out?

That’s what I did to solve the issue!

Reply | Quote

woody wrote:

If you use WinRAR, you were suckered. I’ve never recommended it. But if for some reason you’ve installed it — or even paid for it — uninstall it and get something worthwhile (and free!) … Just don’t use WinRAR, OK?

The vulnerable UNACE is also available as an optional plugin for PeaZip, which you recommended here six months ago. It’s still available for download but PeaZip now recommend uninstalling it if installed: http://www.peazip.org/peazip-add-ons.html

ACE support was removed from Bandizip (mentioned in this thread) a month ago in version 6.21 due to the same issue: https://www.bandisoft.com/bandizip/history/

So it’s not just WinRAR.

1 user thanked author for this post.

woody

Reply | Quote

I have used WinRAR for years without problems, because I only need it to compress  or later decompress files of my own creation, or to decompress files I get from trusted sources. I liked it because it could be used with the several different types of encryption I expect to ever have to deal with.

It is probably a very different story when it is used for administrative or business-related work.

So I would say that it all depends on what one does with this, or for that matter, with any other application.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

‘Trusted source’ does not rule out the need for caution.

Example: I had a message from a family member I trust totally. The message had a link. Examination of the link (not opened but read) revealed it was probably advertising for a supplement drink. I deleted the message and told the sender. Later he asked what he should do to remove a virus from his machine.

Example 2: C*** Cleaner was trusted software. Someone replaced the clean CCleaner installer on the website with another that contained a trojan. Until that became known the infected installer passed a VirusTotal check with zero detections.

The point is, nothing relating to computers can be totally trusted. Even hardware

Reply | Quote

Those sources I mentioned are all big and much used government and university central repositories of scientific data. They are safer than anything I might be able to ensure on my own side; not perfect, for  sure, but safe enough for me. On the other hand, I do believe that people who, in the course of running their businesses, must routinely receive compressed files, tarballs, etc. from various sources they cannot know if they are very well protected from malware infection, using something like WinRAR to decompress those will put themselves at considerable risk and be much more likely to have bad outcomes.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Can we also add ccleaner to software we should not be using? I’ve used it for years with no ill effects but apart from the trojan that was snuck in back last year i was stunned to find out my version (which pre-dates this exploit) was silently upgraded in the background. Apparently this happened back in september as covered here – what’s worse is that they also enabled the option to send them telemetry.

Actually, i had a quick look on the forums to see if this topic has already been discussed but couldn’t find anything.

ETA: I see it has been discussed – https://www.askwoody.com/forums/topic/piriform-ccleaner-speccy

Reply | Quote

I had problems with CCleaner  and I was running Avast as an AV.   I uninstalled CCleaner 5.? and reinstalled 4.19 and moved from Avast to Kaspersky and no more problems.

Avast own CCleaner so Avast will keep pushing the latest version.

Reply | Quote

Here’s why I’m sticking with winrar

1. The issue is fixed, so update

2. Winrar offers baked-in recovery records without needing external par2 files

3.  It allows password protected rars with filename encryption, this allows you to upload things to google drive without it being scanned and flaggged.

4. As for registration, when you purchase winrar you get a file called rarreg.key (cough cough google)

2 users thanked author for this post.

Steve, Kranium

Reply | Quote

Number 3 applies to any sort of password protected archive, unless its encryption has been broken. ZIP and 7Z (7-Zip’s own format) both support password protection.  And 7z files have better compression, according to the sources I’ve found.

The fact that WinRAR is maintaining their software is great, and means you don’t have to get rid of it if you don’t want to. But there’s no need to use RAR to protect files from being scanned by Google.

Reply | Quote

I purchased WinRAR years ago and upgraded to 5.70 at no extra charge after reading this post.

Reply | Quote

It appears that there exists a completely open source implementation of the ACE decoder, in pure Python. It would make sense to use this instead of the vulnerable program to open existing ACE files (even if only for converting to a more modern format.)

https://www.roe.ch/acefile

Reply | Quote

Yeah, I mentioned that one, didn’t I?

Then again it’d also be possible to write an application that’d wrap the vulnerable DLL in layers of indirection and sanity checking, just… a lot of bother for no real gain, especially given the existence of that alternate decoder.

Reply | Quote

A question about both ACE and RAR compression, how common are/were they? I have seen zip and tarballs used commonly (tarballs mainly on Linux) but cannot remember seeing an ace or rar file. I just wondering if they are very unusual would 7-zip or something similar be a better option for most.

Reply | Quote

Since I have a “borrowed” copy of WinRar 5.60, I can’t update it. So I renamed the unacev2.dll file. I also noticed a file named “ace32loader” in the same folder so I renamed it as well. Hope this secures my rar files and folders.

Reply | Quote

People still use WinRAR? Most people I see use 7-Zip or WinZip. I personally haven’t used WinRAR since 2012. I found 7-Zip to be a far better program. And plus it’s open source.

Reply | Quote

Surely any reasonable antivirus program should detect this malware.

Reply | Quote

The problem is in part that, to be able to detect malware in encoded archives, the scanner would have to use a suitable decoder library. And since the only generally available decoder library is where the vulnerability is, here…

You may have noticed the scarcity of malware scanners that could scan ACE archives.

anonymous wrote:

3) It is AV task to remove malicious payload during extracting

Those are not, and cannot be, perfect.

And that’s not getting into the part where the AV cannot know if specific applications with specific embedded settings would be “malicious” for all organizations. (Yes, I’ve seen things get distributed into startup folders by group policies and whatever…)

Reply | Quote

WinRar is perhaps the best tool for handling huge multi-gigabyte zip64 files. I’ve seen 7 zip take long time to open them and then blow up, and many other utilities fail on them as well. WinRar opens them right up, no sweat.  I hope 7 zip will get fixed, but there’s still lots of reasons to use other compression tools.

Reply | Quote

Dear Woody,

Why so?

1) If you use WinRar, you already have it – so it cost nothing to update to latest version
2) If you don’t want to upgrade, just delete affected 3rd party dll
3) It is AV task to remove malicious payload during extracting

Reply | Quote

I have used WinRar for a long time (once registered always registered). I have tried all the various zip programs out there and WinRar does just what I need and does it very well. I have tried 7zip but never liked it, its interface is unfriendly and it seems its only advantage is that it is free.

The WinRar vulnerability as clearly stated affects .ace archives ONLY (including files with forged extensions). ACE is a legacy format and I don’t know anybody who still uses it. It is trivial to delete the unacev2.dll file and it is then safe. Or update to the latest version when it is removed anyway. Note that unacev2.dll is a third party program written by the developers of ACE and is used by several other zip archive programs, clearly the WinRar developers are unable to update this third party program and I doubt whether the ACE developers are still around.

Sad to see Woody condemning a program without finding out the facts.

 

2 users thanked author for this post.

Mele20, b

Reply | Quote

Dont understand this topic, latest version of Winrar (5.70) fixed that security problem. Is completely safe use it now.

3 users thanked author for this post.

b, columbia2011, Microfix

Reply | Quote

For winRAR Version 5.70 taken from their changelogs:
https://rarlab.com/rarnew.htm

21. Nadav Grossman from Check Point Software Technologies informed us
about a security vulnerability in UNACEV2.DLL library.
Aforementioned vulnerability makes possible to create files
in arbitrary folders inside or outside of destination folder
when unpacking ACE archives.

WinRAR used this third party library to unpack ACE archives.
UNACEV2.DLL had not been updated since 2005 and we do not have access
to its source code. So we decided to drop ACE archive format support
to protect security of WinRAR users.

We are thankful to Check Point Software Technologies for reporting
this issue.

my bolding.

Last updated:  26 February 2019

taken from: https://rarlab.com/

So in my book it’s safe to install v5.70 but make sure UNACEV2.DLL is NOT present in the program installation folder.

Tardy blogosphere news IMO but, good of @Woody to highlight that people need to update it

Windows - commercial by definition and now function...

1 user thanked author for this post.

OscarCP

Reply | Quote

Woody

You have always been pretty level when it comes to reporting from the field – but this one rubbed me the wrong way.

Phrases like:

“Suckered” ”

“But if you have WinRAR for some bizarre reason – get rid of it”

Are not constructive.

A better question for you to ask would be: Who the h*** uses ACE these days?

WinRAR is served me (and clearly many others) very well for years – and will continue to do so. The problem has been rectified with v5.70 and all is well.

If you like 7-zip – enjoy and move along – but I do not see the point in getting all high and mighty.

Sonic.

5 users thanked author for this post.

Steve, lanceboil, Mele20, b, OscarCP

Reply | Quote

Read point 21 on rarlab news about version 5.7

 

Reply | Quote

anonymous wrote:

Avast own CCleaner so Avast will keep pushing the latest version.

I think it’s the other way around – people installing ccleaner were finding that it was also installing avast through a ticked option in the installer. But those without avast were still finding ccleaner getting updated silently to 5.46 and two new tasks being created in the scheduler. I think they learnt their lesson but this along with turning on telemetry by default is the definition of malware and can no longer be trusted. I have also used avast for years and have had no problems with the basic installation and none of the bloat but it’s certainly made me think twice whether i want anything to do with them. I’m surprised you moved to kaspersky though, i trust them far less than avast!

Reply | Quote

I am not sure I trust Avast or Kaspersky completely.

Avast has the biggest percentage of the market but Kaspersky has better performance results.

Both offer very good detection and usability.

My personal opinion is Avast is more intrusive and this is why I gave them the flick.

After removing Avast I still had to cleanup a remaining Schedule task manually.

Reply | Quote

Not sure whether this happened yet but if the worry about Kaspersky is US government allegations of Russian government control, it seems Kaspersky are moving to Switzerland, user data will be stored in Switzerland and an third party will oversight. On paper, that sounds very good.

Reply | Quote

Just don’t use Windows, OK?
It costs money, it’s full of bugs, one cannot trust it………………

* _ ... _ *

2 users thanked author for this post.

lanceboil, Microfix

Reply | Quote

Some of us are wedded to it. A life without Windows is a pipe dream.

1 user thanked author for this post.

Fred

Reply | Quote

I’m fairly sure I’ve been to this argument before… Oh well.

Full of bugs, well, most software is, these days. Partially a matter of overwhelming complexity. Differences are quantitative.

Costs money is a funny thing – theoretically everything can be converted to monetary numbers… for businesses and such at least; so, differences are quantitative.

Cannot trust, well, that’s the one part where you could theoretically come up with a qualitative difference. I suppose something like OpenBSD is both small enough and considered trustworthy enough that a light audit of the entire base system would be doable… but if you’re a business and not a government or other religious/ethical/other principle-based institution, it too can be converted to monetary numbers.

So, feel free to do Total Cost of Ownership calculations again, with the interesting bits being monetary values of trustworthiness and risk management.

Reply | Quote