The big picture: Despite being marketed as "trialware" software, WinRAR remains one of the most popular programs for file archiving tasks. Should a significant security flaw be found, Rarlab's tool could easily be employed in malicious campaigns.
The Zero Day Initiative (ZDI) recently identified a high-severity vulnerability in WinRAR, the Windows-only application created by Eugene Roshal for managing RAR archives. This bug, labeled CVE-2023-40477, involves an improper validation of an array index during recovery volume processing. In a worst-case scenario, this flaw might be leveraged to run arbitrary (malicious) code remotely.
The CVE-2023-40477 vulnerability has been assigned a severity rating of 7.8, primarily because it demands user interaction to unleash its malicious potential. The issue appears to be a typical buffer overflow problem, stemming from insufficient validation of data provided by users. This can lead to a memory access event beyond the end of an allocated buffer. As a result, attackers might exploit this to execute code in the context of the ongoing process, as warned by ZDI.
The discovery of this vulnerability is credited to "goodbyeselene." ZDI informed Rarlab of its existence in June. The security advisory's public release occurred just recently, a mere couple of weeks following Rarlab's remediation of the bug in their newest WinRAR update.
WinRAR 6.23, released on August 2, 2023, includes a security patch addressing "out of bounds write" occurrences in the recovery volumes processing code for the older RAR4 archive format. Rarlab recognized the research contributions of goodbyeselene and Trend Micro's ZDI, even though it took them two months to resolve this potentially perilous security gap.
Additional enhancements in the WinRAR 6.23 release comprise extraction functionalities for XZ archives (utilizing the ARM64 filter), enhanced security for Rar$LS* temporary file management, fixes for other security defects, advancements in file system metadata management, and more. WinRAR operates as a "trialware" product, allowing users to experiment with the software for up to 40 days. After this trial period, the software remains functional, but its advanced features become inaccessible.
With Microsoft currently piloting native support for RAR, as well as 7-Zip and GZ file formats in Windows 11, RAR archives are poised to gain even more traction in the upcoming months and years. Rarlab also offers a copyrighted yet freely accessible C++ source code for UnRAR, their command-line archive unpacking utility.
