> The exploit abused that feature to trigger a previously unknown path traversal flaw that caused WinRAR to plant malicious executables in attacker-chosen file paths %TEMP% and %LOCALAPPDATA%, which Windows normally makes off-limits because of their ability to execute code.
This seems... wrong? Isn't %LOCALAPPDATA% commonly used to store executables for programs that want to install for a single user and not the whole computer? An example of which includes Google Chrome?
The exploit abuses ADSes with ..\ in the name to drop files on the system that aren't visible in the WinRAR file browser. It drops malware in the temp directory and then a .lnk in the Startup directory to activate an attack against COM, influencing the DLL that's being loaded by legitimate applications.
> This seems... wrong? Isn't %LOCALAPPDATA% commonly used to store executables for programs that want to install for a single user and not the whole computer? An example of which includes Google Chrome?
%LocalAppData% is for files you wouldn't want to synchronize across multiple computers using the same account. Installed programs squarely fall into that category, even just based on size. %AppData% is also commonly used to install executables, but I'd consider that a bug. Just like putting your cache dir in %appdata% instead of %localappdata%
The only reason publishers use those appdata paths for executables is so regular users can install their software without needing an administrator or a UAC prompt, since Microsoft locked down installing to the various Program Files directories.
But %localappdata% has all the same advantages and permissions. Using %appdata% for executables is usually a mix of ignorance and indifference. Roaming user profiles are a rare setup nowadays and are even less common on developer machines. And it's not like it breaks in obvious ways, the is just more storage space used and login is slower because more data is transferred from the server, in a setup that devs and PMs don't use
The docs for the toolchain he implemented (https://github.com/taviso/rarvmtools) allude to a number of bugs, but doesn't sound (??) like they're related to this vulnerability.
The VM has long since been torn out of the RAR decompressor. These days, when it finds a file containing bytecode, it just hashes the bytecode and matches it against a few hardcoded routines that existed at the time.
Sounds like a good ingredient for a CTF or other puzzle. It could be a small obfuscation where player has to install an ancient version with the VM, or get crazier with a byecode hash collision or abusing undocumented VM quirks.
> WinRAR, a utility for compressing files, and has an installed base of about 500 million.
Yeah, right.
Edit: this figure is possibly taken from the WinRAR website [1]. It is more likely that there have been that many cumulative downloads, and even that seems to be a high number. Given that Windows has .zip file support built-in for quite some time, and the fact that nearly nobody downloads .zip files anymore, makes me very suspicious of this kind of statistic.
Until very recently Windows could not natively unarchive .rar files and you needed to download WinRAR to be able to do this. I still find it not terribly uncommon to run into a random .rar file that previously would have meant I needed to install it, even if I only used it once.
> and the fact that nearly nobody downloads .zip files anymore
Citation needed? Why would people not be downloading .zip files anymore?
Objective: 7z (the format) doesn't have the same data recovery options as RAR. As it stands, RAR remains one of the best options for long-term archival of data for casual users thanks to its optional recovery records.
7zip can't do all the same things. It's an incomplete WinRar clone that leaves out a lot of features and adds very little on its own, besides the 7zip format and being open source (both neat things, but that doesn't replace the long list of features it doesn't have or the worse UI)
WinRAR in my experience has a better speed/compression ratio than 7Zip. If you need best compression 7z is probably best but it will cost you some extra time. The GUI and integration of 7Zip also aren't as polished as WinRAR's. I've been using both since their early versions and each have their individual strengths.
You can't get a citation for this, and I must admit that this was a bit of a hyperbole.
Still, I sincerely believe that in a typical year, a typical user runs into zero or one .zip files. Of course there are exceptions, but these power users do not make up a large part of the population. Facebook and Instagram are not shipped in .zip format for a reason.
Here are some numbers to think about:
According to Microsoft, there are ~1.4 billion devices that run Windows 10 or Windows 11 [1]. Apparently, there are some 200 million additional devices that run older versions of Windows [2].
Now, I could hypothetically ask my mom and dad, and find out that only one of them knows what a .zip file is. The other has not heard of .rar. I don't think I myself am a typical user, but I do know .rar, and I do not even have WinRAR installed.
That leaves me to conclude that it is very, very, unlikely that 31% of all Windows users has WinRAR installed.
I know many people that still use it because it does all formats, it’s what they’ve been using forever, and the UI is so much better than using zip on Windows.
Of course, RAR usage nowadays is probably a bit more limited to things like usenet downloads, so the people caring enough to install an alternative decompressor is narrowing.
Don't all email providers automatically zip attachments after a certain number and don't all the major OSes try to hide extensions and include zip handling? I'm not sure what your parents knowing about zip files indicates about its usage.
I haven't downloaded it in 10 years or more, but I know I've downloaded it (and WinZip) a few dozen times. Back in the day I even had a paid license.
I do reject the idea that "nearly nobody downloads .zip files anymore". It's still pretty common. Crafters using Cricuts and engravers regularly download zip files of fonts, etc. Fedex/UPS package up invoices of a certain size, or consolidated billing accounts, in zip files. Etc.
While I know that WinRAR has some die-hard user bases, I have never been sure who their paying user base is. Are there some companies that are completely dependent on WinRAR for some internal processes?
I'm one of their paying user base. To me WinRAR is like the VLC of archives. I can throw almost anything at it and it will work. Other compression tools, not so much. I'm also a fan of giving money to small, independent developers.
I remember RAR being popular in the early 00's but when 7-zip started becoming a thing I switched to that, and then I rarely saw .RAR's.
RAR seemed to handle large collections of files better on Windows than .zip back in the day, and it had a few features that .zip didn't, so it was something I typically installed on like Windows XP and such back then. But I'm not sure why anyone would use it over 7-zip today unless you have massive numbers of old .RAR files laying around.
I did work for a company that actually licensed WinZip because it was easier to use than the default Windows interface for .zip files.
Sort of, the "zip folder" thing was introduced with the "98 Plus!" pack, but came natively with XP. That said, "natively supported in Windows" is one thing, but the usability was... well, not great. The entire "it's a compressed folder!" analogy seems reasonable, but the implementation wasn't. It ate memory like few other components, crashed often, and because it was treated like a folder only in file explorer the analogy quickly broke down when using a file picker anywhere else. WinZIP and WinRAR were basically requirements if you often worked with zip archives until 7zip came along and did everything just a tad better.
winrar has been around since I was in high school...21+ years
500 million downloads isn't unreasonable during that time frame
real question is: how many windows boxes are up right now and how many have winrar installed
rar is super popular in China, because for a long time (and still with many modern implementations) it is much better at preserving Chinese filenames in Windows than zip.
> The exploit abused that feature to trigger a previously unknown path traversal flaw that caused WinRAR to plant malicious executables in attacker-chosen file paths %TEMP% and %LOCALAPPDATA%, which Windows normally makes off-limits because of their ability to execute code.
This seems... wrong? Isn't %LOCALAPPDATA% commonly used to store executables for programs that want to install for a single user and not the whole computer? An example of which includes Google Chrome?
ESET's story seems to make more sense: https://www.welivesecurity.com/en/eset-research/update-winra...
The exploit abuses ADSes with ..\ in the name to drop files on the system that aren't visible in the WinRAR file browser. It drops malware in the temp directory and then a .lnk in the Startup directory to activate an attack against COM, influencing the DLL that's being loaded by legitimate applications.
> This seems... wrong? Isn't %LOCALAPPDATA% commonly used to store executables for programs that want to install for a single user and not the whole computer? An example of which includes Google Chrome?
Maybe you're thinking of %AppData%?
No, he's right.
>By default, VS Code is installed under C:\Users\{Username}\AppData\Local\Programs\Microsoft VS Code.
https://code.visualstudio.com/docs/setup/windows
%appdata% would be C:\Users\{Username}\AppData\Roaming
%LocalAppData% is for files you wouldn't want to synchronize across multiple computers using the same account. Installed programs squarely fall into that category, even just based on size. %AppData% is also commonly used to install executables, but I'd consider that a bug. Just like putting your cache dir in %appdata% instead of %localappdata%
The only reason publishers use those appdata paths for executables is so regular users can install their software without needing an administrator or a UAC prompt, since Microsoft locked down installing to the various Program Files directories.
But %localappdata% has all the same advantages and permissions. Using %appdata% for executables is usually a mix of ignorance and indifference. Roaming user profiles are a rare setup nowadays and are even less common on developer machines. And it's not like it breaks in obvious ways, the is just more storage space used and login is slower because more data is transferred from the server, in a setup that devs and PMs don't use
There's a really interesting article from Tavis Ormandy about the instruction set and virtual machine used in RAR: https://blog.cmpxchg8b.com/2012/09/fun-with-constrained-prog....
The docs for the toolchain he implemented (https://github.com/taviso/rarvmtools) allude to a number of bugs, but doesn't sound (??) like they're related to this vulnerability.
The VM has long since been torn out of the RAR decompressor. These days, when it finds a file containing bytecode, it just hashes the bytecode and matches it against a few hardcoded routines that existed at the time.
Sounds like a good ingredient for a CTF or other puzzle. It could be a small obfuscation where player has to install an ancient version with the VM, or get crazier with a byecode hash collision or abusing undocumented VM quirks.
> WinRAR, a utility for compressing files, and has an installed base of about 500 million.
Yeah, right.
Edit: this figure is possibly taken from the WinRAR website [1]. It is more likely that there have been that many cumulative downloads, and even that seems to be a high number. Given that Windows has .zip file support built-in for quite some time, and the fact that nearly nobody downloads .zip files anymore, makes me very suspicious of this kind of statistic.
[1] https://www.win-rar.com/
I don't doubt the numbers.
Until very recently Windows could not natively unarchive .rar files and you needed to download WinRAR to be able to do this. I still find it not terribly uncommon to run into a random .rar file that previously would have meant I needed to install it, even if I only used it once.
> and the fact that nearly nobody downloads .zip files anymore
Citation needed? Why would people not be downloading .zip files anymore?
What I don't get is why people kept installing WinRAR when 7zip can do all the same things and doesn't beg for money.
Subjective: WinRAR has nicer UI.
Objective: 7z (the format) doesn't have the same data recovery options as RAR. As it stands, RAR remains one of the best options for long-term archival of data for casual users thanks to its optional recovery records.
Sure, but if you are a non technical user what are you likely going to search for first.
A lot of non technical people know "winrar" and even if they don't if you search "rar file" on Google the first result is winrar.
7zip can't do all the same things. It's an incomplete WinRar clone that leaves out a lot of features and adds very little on its own, besides the 7zip format and being open source (both neat things, but that doesn't replace the long list of features it doesn't have or the worse UI)
WinRAR in my experience has a better speed/compression ratio than 7Zip. If you need best compression 7z is probably best but it will cost you some extra time. The GUI and integration of 7Zip also aren't as polished as WinRAR's. I've been using both since their early versions and each have their individual strengths.
You can't get a citation for this, and I must admit that this was a bit of a hyperbole.
Still, I sincerely believe that in a typical year, a typical user runs into zero or one .zip files. Of course there are exceptions, but these power users do not make up a large part of the population. Facebook and Instagram are not shipped in .zip format for a reason.
Here are some numbers to think about:
According to Microsoft, there are ~1.4 billion devices that run Windows 10 or Windows 11 [1]. Apparently, there are some 200 million additional devices that run older versions of Windows [2].
Now, I could hypothetically ask my mom and dad, and find out that only one of them knows what a .zip file is. The other has not heard of .rar. I don't think I myself am a typical user, but I do know .rar, and I do not even have WinRAR installed.
That leaves me to conclude that it is very, very, unlikely that 31% of all Windows users has WinRAR installed.
[1] https://blogs.windows.com/windowsexperience/2025/06/24/stay-...
[2] https://jitendra.co/how-many-windows-users-are-there-in-the-...
I know many people that still use it because it does all formats, it’s what they’ve been using forever, and the UI is so much better than using zip on Windows.
Of course, RAR usage nowadays is probably a bit more limited to things like usenet downloads, so the people caring enough to install an alternative decompressor is narrowing.
Don't all email providers automatically zip attachments after a certain number and don't all the major OSes try to hide extensions and include zip handling? I'm not sure what your parents knowing about zip files indicates about its usage.
i have not seen anything relevant packaged in rar for at since the early 2000s
I haven't downloaded it in 10 years or more, but I know I've downloaded it (and WinZip) a few dozen times. Back in the day I even had a paid license.
I do reject the idea that "nearly nobody downloads .zip files anymore". It's still pretty common. Crafters using Cricuts and engravers regularly download zip files of fonts, etc. Fedex/UPS package up invoices of a certain size, or consolidated billing accounts, in zip files. Etc.
Every game mod for every game ever.
WinRAR is still very popular in my experience. I don't know why, but it definitely is. People still send me .rar files.
[flagged]
"nearly nobody downloads .zip files anymore"
At this point you lost my attention.
While I know that WinRAR has some die-hard user bases, I have never been sure who their paying user base is. Are there some companies that are completely dependent on WinRAR for some internal processes?
I'm one of their paying user base. To me WinRAR is like the VLC of archives. I can throw almost anything at it and it will work. Other compression tools, not so much. I'm also a fan of giving money to small, independent developers.
I remember RAR being popular in the early 00's but when 7-zip started becoming a thing I switched to that, and then I rarely saw .RAR's.
RAR seemed to handle large collections of files better on Windows than .zip back in the day, and it had a few features that .zip didn't, so it was something I typically installed on like Windows XP and such back then. But I'm not sure why anyone would use it over 7-zip today unless you have massive numbers of old .RAR files laying around.
I did work for a company that actually licensed WinZip because it was easier to use than the default Windows interface for .zip files.
> But I'm not sure why anyone would use it over 7-zip today unless you have massive numbers of old .RAR files laying around.
Even then, 7-zip supports extracting rar.
> Are there some companies that are completely dependent on WinRAR for some internal processes?
In aa world where 7zip exists, most likely not.
WinRAR's strong point is support for RAR archives, not ZIP which has been natively supported in Windows for years (since XP?).
I think Windows 11 got native RAR and 7Z support recently but I'm not sure what libraries it uses for this.
Sort of, the "zip folder" thing was introduced with the "98 Plus!" pack, but came natively with XP. That said, "natively supported in Windows" is one thing, but the usability was... well, not great. The entire "it's a compressed folder!" analogy seems reasonable, but the implementation wasn't. It ate memory like few other components, crashed often, and because it was treated like a folder only in file explorer the analogy quickly broke down when using a file picker anywhere else. WinZIP and WinRAR were basically requirements if you often worked with zip archives until 7zip came along and did everything just a tad better.
Windows 11 uses libarchive: https://en.wikipedia.org/wiki/Libarchive#Users
winrar has been around since I was in high school...21+ years 500 million downloads isn't unreasonable during that time frame real question is: how many windows boxes are up right now and how many have winrar installed
Can someone explain why you would ever want to compress a file into .rar?
I bet it's Usenet users. WinRAR can split large files into chunks that are uploaded as separate Usenet messages.
And also have parity built in for file recovery. The alternative will be to use par2 to create parity files.
The parity files are the killer feature for me. Probably 95% of the downloads from Usenet end up needing them.
7z also does this now FWIW
I'd still bet it's Usenet users that installed WinRAR way back when and have stuck to it ever since
That's me. But now everything is done automagically by nzbget and I use nanazip on my Windows desktop.
Better compression over .zip and other older formats (like .gz).
Why people use it over .7z though? For that, I have no idea.
rar is super popular in China, because for a long time (and still with many modern implementations) it is much better at preserving Chinese filenames in Windows than zip.
Does zip actually alter some filenames, then?
Wider filename character support, for one.