Security News > 2023 > August > Using WinRAR? Be sure to patch against these code execution bugs…
WinRAR could start a wrong file after a user double- clicked an item in a specially crafted archive.
That's a bit like receiving an email containing a safe-looking attachment along with a risky-looking one, deciding to start by investigating only the safe-looking one, but unknowingly firing up the risky file instead. From what we can tell, and in another irony, this bug existed in WinRAR's code for unpacking ZIP files, not in the code for processing its very own RAR file format.
Two-faced ZIP files have been a cybersecurity problem for years, because the index of files and directories in any ZIP archive appears twice, once in a series of data blocks interleaved throughout the file, and then again in a single chunk of data at the end.
We don't know whether this double-index issue is the root cause of the recent WinRAR bug, but it's a reminder that unpacking archive files can be a complex and error-prone process which needs careful attention to security, even at the cost of extra processing and reduced performance.
As far as we can see, WinRAR doesn't generate old-style recovery data any more, and has used smarter error correction algotithms since version 5, but for reasons of backwards compatibility still processes old-style files if they're presented.
Remember that when attackers create booby-trapped files hoping to trip up your software, they're generally not using your software to create those files anyway, so testing your own input routines only against files that your own output routines originally created is never enough.