Winrar: Mark of the Web problems in Windows and a Linux loophole fixed

Version 7.00 of the Winrar archive software also closes security gaps. Output can be falsified under Linux, MotW markers in Windows.

Save to Pocket listen Print view
Stilisierte Grafik: zersplitterter Sicherheitsschild auf einem Laptop

(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)

3 min. read

Winrar 7.00 was released a few weeks ago. The new version closes security gaps that attackers can abuse to forge output in the Linux or Unix command line, for example. In addition, there were problems with the mark-of-the-Web (MotW) marking of files under Windows in previous versions.

Rarlab Winrar before version 7.00 under Linux and Unix allows attackers to forge screen output with ANSI escape sequences or to provoke a denial of service, reads the vulnerability description in the now published CVE entry (CVE-2024-33899, no CVSS value, no risk rating). In the changelog for Winrar 7.00, the developers explain in more detail that the console version of rar now filters the ASCII character 27 (escape, or often seen in the console as ^ [ ) from the screen output. This is done for security reasons. However, the developers do not explain what a DoS attack might look like.

It was also possible to overwrite the Mark-of-the-Web marker, which is transferred from the archive to extracted files, and to change the security zone information with a specially prepared .rar archive, the Winrar programmers write in the changelog. The Mark-of-the-Web marker is intended to serve as a security function. When opening Office files marked with it, Microsoft Office issues warnings and activates read-only mode. For executable files, Windows is supposed to warn that the file could be unsafe because it originates from the Internet.

Only the GUI version of Winrar is affected; the unrar.dll library does not process MotW information at all. Vulnerabilities in the MotW system are a recurring feature of Microsoft Patchdays, for example. In November 2022, Microsoft already had to correct actively exploited gaps in the MotW system.

Anyone using Winrar in Windows or rar in Linux or other Unix dialects should therefore update to version 7.00 or newer. They are available for download on the rarlabs download page.

Security vulnerabilities in Winrar became known last August. Some of them have been abused by cyber criminals since April. The Winrar 6.23 version had patched the vulnerabilities. Somewhat later, it emerged that state-supported cyber gangs had also attacked the vulnerabilities, as reported by Google's TAG team.

(dmk)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.