News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Just don’t use WinRAR, OK?

    Posted on March 17th, 2019 at 10:35 woody Comment on the AskWoody Lounge

    I’ve been trying to avoid this topic, but it now appears to be engulfing the blogosphere.

    If you use WinRAR, you were suckered. I’ve never recommended it. But if for some reason you’ve installed it — or even paid for it — uninstall it and get something worthwhile (and free!) like 7-Zip or one of a dozen alternatives.

    @mn- posted about WinRAR’s security problems back in February, when they were discovered and disclosed. Martin Brinkmann had thorough coverage on ghacks. It all has to do with an ancient archiving format called ACE, and the “19-year-old” security hole is being exploited right now. McAfee says they’ve found “over 100 unique exploits and counting,” but I think they’re double-dipping. Catalin Cimpanu on ZDNet has a recent accounting.

    Tempest, meet teapot. But if you have WinRAR for some bizarre reason, get rid of it.

    If that helped, take a second to support AskWoody on Patreon

    Home Forums Just don’t use WinRAR, OK?

    This topic contains 48 replies, has 21 voices, and was last updated by

     mn– 4 weeks, 1 day ago.

    • Author
      Posts
    • #342542 Reply

      woody
      Da Boss

      I’ve been trying to avoid this topic, but it now appears to be engulfing the blogosphere. If you use WinRAR, you were suckered. I’ve never recommended
      [See the full post at: Just don’t use WinRAR, OK?]

      4 users thanked author for this post.
    • #342557 Reply

      anonymous

      While 7-zip can open RAR files, it can’t create them on its own without WinRAR (or the original command line RAR) installed. This is true of any program, due to the RAR license. So people who actually make RAR files  keep WinRAR for that.

      However, it appears to me that they could just keep the rar.exe file and get rid of the rest of WinRAR. All they’d have to do is point 7-zip to the rar.exe file.

      • #342588 Reply

        b
        AskWoody Plus

        For anyone who wants to keep their current version of WinRAR, it should only be necessary to delete UNACEV2.DLL from the WinRAR program folder, as shown in the ghacks.net fix.

        Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant Toxic drinker Saluted blockhead "Finger sharpener" (Group ASAP) WX1903

        • #342598 Reply

          Alex5723
          AskWoody Plus

          …delete UNACEV2.DLL or rename the file.
          Total Commander also uses UNACEV2.DLL.

          Remember to delete/rename from your system backups as well.

          • This reply was modified 1 month ago by
             Alex5723.
          • #342642 Reply

            Sparkwell3000
            AskWoody Plus

            UNACEV2.DLL doesn’t exist in my WinRAR 5.70 installation.

            In “C:\Program Files\WinRAR\WhatsNew.txt”, they have this note:

            21. Nadav Grossman from Check Point Software Technologies informed us
            about a security vulnerability in UNACEV2.DLL library.
            Aforementioned vulnerability makes possible to create files
            in arbitrary folders inside or outside of destination folder
            when unpacking ACE archives.
            WinRAR used this third party library to unpack ACE archives.
            UNACEV2.DLL had not been updated since 2005 and we do not have access
            to its source code. So we decided to drop ACE archive format support
            to protect security of WinRAR users.
            We are thankful to Check Point Software Technologies for reporting
            this issue.

            So does this mean 5.70 is safe? Are my old .RAR files safe?

            2 users thanked author for this post.
            • #342644 Reply

              anonymous

              Sparkwell3000The file has been removed in 5.70.

              1 user thanked author for this post.
            • #342649 Reply

              Bob99
              AskWoody Lounger

              So does this mean 5.70 is safe? Are my old .RAR files safe?

              Yep, it sure does! That goes for both questions. 🙂

              That vulnerability was only “exposed” if you were to use WinRAR with a version number below 5.70 (or possibly another compressed file viewer/extractor that uses unacev2.dll) to open a file compressed with the ACE method.
              However, as pointed out in other posts, just because a compressed file’s name ends with something besides “.ACE” doesn’t mean it wasn’t compressed with that method when it was created. That’s one thing that’s making this vulnerability particularly troublesome.

              1 user thanked author for this post.
            • #342648 Reply

              anonymous

              “UNACEV2.DLL doesn’t exist in my WinRAR 5.70 installation.”

              The file has been removed in 5.70 as part of the fix.

               

              1 user thanked author for this post.
    • #342562 Reply

      kreela
      AskWoody Plus

      Windows has a built-in option to right-click and extract the files without a separate third-party application.  However, I do like to just double-click on a file, so I prefer Bandizip Free.  Unlike 7-zip, I can set the options to just quietly unzip and open the folder without having an open window to close. It saves a tiny amount of time and, personally, aggravation.  I can also set it to preview files and save in .7z by default.

      7-zip and Peazip are alternatives, but they leave an open window and are not integrated as well as a right-click on a file; therefore, they don’t increase my productivity at all.

      • #342577 Reply

        NetDef
        AskWoody_MVP

        Actually 7-Zip does integrate into your right click option context menu.  But you have to turn it on after installing.

        Run as Admin the 7-Zip File Manager (from the Windows start menu)

        Select Tools, then Options, and select the 7-Zip tab.

        Check the options “Integrate 7-Zip to shell context menu” and Apply.

        7-zip_options

         

        Viola!

        ~ Group "Weekend" ~

        Attachments:
        You must be logged in to view attached files.
        1 user thanked author for this post.
        • #342626 Reply

          Microfix
          Da Boss

          It’s like all programs/ utilities, dig into the settings/ configs to get what one wants and how one would like it presented during/ after installation.
          Tip: always do a custom install and check for unecessary tickbox junkware and don’t assume default is the best option.

          | W8.1 Pro x64 | Linux x64 Hybrids | W7 Pro x86 | XP Pro O/L
          1 user thanked author for this post.
          • #342698 Reply

            anonymous

            Unfortunately according to the agreement only two ways Bandizip can not phone home, is never installing the software or blocking the outbound traffic.

    • #342575 Reply

      arfurdent
      AskWoody Lounger

      would not updating to WinRAR v5.70 also sort the issue out?

      1 user thanked author for this post.
      • #342590 Reply

        warrenrumak
        AskWoody Plus

        It doesn’t solve the $29 price tag issue.

        We should be past the point of someone profiting off a simple compression algorithm that they wrote 25+ years ago.

        • #342631 Reply

          b
          AskWoody Plus

          Most seem to have been able to update without further payment, and they do offer help for a lost registration key:
          https://www.win-rar.com/lostkey.html.

          Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant Toxic drinker Saluted blockhead "Finger sharpener" (Group ASAP) WX1903

        • #342711 Reply

          anonymous

          Can Windows 10 still open very old cabinet files that use LZX compression?

        • #342744 Reply

          anonymous

          Those software authors have a right to request payment for their works. I do wonder if we have paid Microsoft their for inclusion of older compression algorithms used during servicing of windows or for opening an old cabinet file.

    • #342582 Reply

      anonymous

      Since the ACE exploit puts malware into startup folder, the recently recommended Safe Startup app should also let you know if something nefarious has appeared in this folder. Not a solution to the problem, but still an extra line of defence for any exploit that works this way.

    • #342612 Reply

      des911
      AskWoody Lounger

      would not updating to WinRAR v5.70 also sort the issue out?

      That is also what I understood. Can anyone confirm if version 5.70 solves the problem?

    • #342613 Reply

      wbear
      AskWoody Lounger

      would not updating to WinRAR v5.70 also sort the issue out?

      That’s what I did to solve the issue!

    • #342617 Reply

      b
      AskWoody Plus

      If you use WinRAR, you were suckered. I’ve never recommended it. But if for some reason you’ve installed it — or even paid for it — uninstall it and get something worthwhile (and free!) … Just don’t use WinRAR, OK?

      The vulnerable UNACE is also available as an optional plugin for PeaZip, which you recommended here six months ago. It’s still available for download but PeaZip now recommend uninstalling it if installed: http://www.peazip.org/peazip-add-ons.html

      ACE support was removed from Bandizip (mentioned in this thread) a month ago in version 6.21 due to the same issue: https://www.bandisoft.com/bandizip/history/

      So it’s not just WinRAR.

      Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant Toxic drinker Saluted blockhead "Finger sharpener" (Group ASAP) WX1903

      1 user thanked author for this post.
    • #342623 Reply

      OscarCP
      AskWoody Plus

      I have used WinRAR for years without problems, because I only need it to compress  or later decompress files of my own creation, or to decompress files I get from trusted sources. I liked it because it could be used with the several different types of encryption I expect to ever have to deal with.

      It is probably a very different story when it is used for administrative or business-related work.

      So I would say that it all depends on what one does with this, or for that matter, with any other application.

      • #342674 Reply

        anonymous

        ‘Trusted source’ does not rule out the need for caution.

        Example: I had a message from a family member I trust totally. The message had a link. Examination of the link (not opened but read) revealed it was probably advertising for a supplement drink. I deleted the message and told the sender. Later he asked what he should do to remove a virus from his machine.

        Example 2: C*** Cleaner was trusted software. Someone replaced the clean CCleaner installer on the website with another that contained a trojan. Until that became known the infected installer passed a VirusTotal check with zero detections.

        The point is, nothing relating to computers can be totally trusted. Even hardware

        • #342748 Reply

          OscarCP
          AskWoody Plus

          Those sources I mentioned are all big and much used government and university central repositories of scientific data. They are safer than anything I might be able to ensure on my own side; not perfect, for  sure, but safe enough for me. On the other hand, I do believe that people who, in the course of running their businesses, must routinely receive compressed files, tarballs, etc. from various sources they cannot know if they are very well protected from malware infection, using something like WinRAR to decompress those will put themselves at considerable risk and be much more likely to have bad outcomes.

    • #342624 Reply

      T
      AskWoody Plus

      Can we also add ccleaner to software we should not be using? I’ve used it for years with no ill effects but apart from the trojan that was snuck in back last year i was stunned to find out my version (which pre-dates this exploit) was silently upgraded in the background. Apparently this happened back in september as covered here – what’s worse is that they also enabled the option to send them telemetry.

      Actually, i had a quick look on the forums to see if this topic has already been discussed but couldn’t find anything.

      ETA: I see it has been discussed – https://www.askwoody.com/forums/topic/piriform-ccleaner-speccy

      • This reply was modified 1 month ago by
         T.
      • This reply was modified 1 month ago by
         T.
      • #343042 Reply

        anonymous

        I had problems with CCleaner  and I was running Avast as an AV.   I uninstalled CCleaner 5.? and reinstalled 4.19 and moved from Avast to Kaspersky and no more problems.

        Avast own CCleaner so Avast will keep pushing the latest version.

    • #342643 Reply

      anonymous

      Here’s why I’m sticking with winrar

      1. The issue is fixed, so update

      2. Winrar offers baked-in recovery records without needing external par2 files

      3.  It allows password protected rars with filename encryption, this allows you to upload things to google drive without it being scanned and flaggged.

      4. As for registration, when you purchase winrar you get a file called rarreg.key (cough cough google)

      2 users thanked author for this post.
      • #342658 Reply

        anonymous

        Number 3 applies to any sort of password protected archive, unless its encryption has been broken. ZIP and 7Z (7-Zip’s own format) both support password protection.  And 7z files have better compression, according to the sources I’ve found.

        The fact that WinRAR is maintaining their software is great, and means you don’t have to get rid of it if you don’t want to. But there’s no need to use RAR to protect files from being scanned by Google.

    • #342652 Reply

      anonymous

      I purchased WinRAR years ago and upgraded to 5.70 at no extra charge after reading this post.

    • #342656 Reply

      anonymous

      It appears that there exists a completely open source implementation of the ACE decoder, in pure Python. It would make sense to use this instead of the vulnerable program to open existing ACE files (even if only for converting to a more modern format.)

      https://www.roe.ch/acefile

      • #342767 Reply

        mn–
        AskWoody Lounger

        Yeah, I mentioned that one, didn’t I?

        Then again it’d also be possible to write an application that’d wrap the vulnerable DLL in layers of indirection and sanity checking, just… a lot of bother for no real gain, especially given the existence of that alternate decoder.

    • #342678 Reply

      lurks about
      AskWoody Lounger

      A question about both ACE and RAR compression, how common are/were they? I have seen zip and tarballs used commonly (tarballs mainly on Linux) but cannot remember seeing an ace or rar file. I just wondering if they are very unusual would 7-zip or something similar be a better option for most.

      • This reply was modified 1 month ago by
         lurks about.
    • #342685 Reply

      anonymous

      Since I have a “borrowed” copy of WinRar 5.60, I can’t update it. So I renamed the unacev2.dll file. I also noticed a file named “ace32loader” in the same folder so I renamed it as well. Hope this secures my rar files and folders.

    • #342695 Reply

      anonymous

      People still use WinRAR? Most people I see use 7-Zip or WinZip. I personally haven’t used WinRAR since 2012. I found 7-Zip to be a far better program. And plus it’s open source.

    • #342702 Reply

      anonymous

      Surely any reasonable antivirus program should detect this malware.

      • #342779 Reply

        mn–
        AskWoody Lounger

        The problem is in part that, to be able to detect malware in encoded archives, the scanner would have to use a suitable decoder library. And since the only generally available decoder library is where the vulnerability is, here…

        You may have noticed the scarcity of malware scanners that could scan ACE archives.

        3) It is AV task to remove malicious payload during extracting

        Those are not, and cannot be, perfect.

        And that’s not getting into the part where the AV cannot know if specific applications with specific embedded settings would be “malicious” for all organizations. (Yes, I’ve seen things get distributed into startup folders by group policies and whatever…)

    • #342707 Reply

      anonymous

      WinRar is perhaps the best tool for handling huge multi-gigabyte zip64 files. I’ve seen 7 zip take long time to open them and then blow up, and many other utilities fail on them as well. WinRar opens them right up, no sweat.  I hope 7 zip will get fixed, but there’s still lots of reasons to use other compression tools.

    • #342766 Reply

      anonymous

      Dear Woody,

      Why so?

      1) If you use WinRar, you already have it – so it cost nothing to update to latest version
      2) If you don’t want to upgrade, just delete affected 3rd party dll
      3) It is AV task to remove malicious payload during extracting

    • #342825 Reply

      davews
      AskWoody Plus

      I have used WinRar for a long time (once registered always registered). I have tried all the various zip programs out there and WinRar does just what I need and does it very well. I have tried 7zip but never liked it, its interface is unfriendly and it seems its only advantage is that it is free.

      The WinRar vulnerability as clearly stated affects .ace archives ONLY (including files with forged extensions). ACE is a legacy format and I don’t know anybody who still uses it. It is trivial to delete the unacev2.dll file and it is then safe. Or update to the latest version when it is removed anyway. Note that unacev2.dll is a third party program written by the developers of ACE and is used by several other zip archive programs, clearly the WinRar developers are unable to update this third party program and I doubt whether the ACE developers are still around.

      Sad to see Woody condemning a program without finding out the facts.

       

      • This reply was modified 1 month ago by
         davews.
      • This reply was modified 1 month ago by
         davews.
      2 users thanked author for this post.
    • #342897 Reply

      TheOwner
      AskWoody Lounger

      Dont understand this topic, latest version of Winrar (5.70) fixed that security problem. Is completely safe use it now.

      3 users thanked author for this post.
      • #342907 Reply

        Microfix
        Da Boss

        For winRAR Version 5.70 taken from their changelogs:
        https://rarlab.com/rarnew.htm

        21. Nadav Grossman from Check Point Software Technologies informed us
        about a security vulnerability in UNACEV2.DLL library.
        Aforementioned vulnerability makes possible to create files
        in arbitrary folders inside or outside of destination folder
        when unpacking ACE archives.

        WinRAR used this third party library to unpack ACE archives.
        UNACEV2.DLL had not been updated since 2005 and we do not have access
        to its source code. So we decided to drop ACE archive format support
        to protect security of WinRAR users.

        We are thankful to Check Point Software Technologies for reporting
        this issue.

        my bolding.

        Last updated:  26 February 2019

        taken from: https://rarlab.com/

        So in my book it’s safe to install v5.70 but make sure UNACEV2.DLL is NOT present in the program installation folder.

        Tardy blogosphere news IMO but, good of @woody to highlight that people need to update it 😉

        | W8.1 Pro x64 | Linux x64 Hybrids | W7 Pro x86 | XP Pro O/L
        1 user thanked author for this post.
    • #342948 Reply

      SonicMojo
      AskWoody Lounger

      Woody

      You have always been pretty level when it comes to reporting from the field – but this one rubbed me the wrong way.

      Phrases like:

      “Suckered” ”

      “But if you have WinRAR for some bizarre reason – get rid of it”

      Are not constructive.

      A better question for you to ask would be: Who the h*** uses ACE these days?

      WinRAR is served me (and clearly many others) very well for years – and will continue to do so. The problem has been rectified with v5.70 and all is well.

      If you like 7-zip – enjoy and move along – but I do not see the point in getting all high and mighty.

      Sonic.

      • This reply was modified 1 month ago by
         SonicMojo.
      • This reply was modified 1 month ago by
         SonicMojo.
      • This reply was modified 1 month ago by
         SonicMojo.
      • This reply was modified 1 month ago by
         PKCano.
      5 users thanked author for this post.
    • #343043 Reply

      anonymous
    • #343056 Reply

      T
      AskWoody Plus

      Avast own CCleaner so Avast will keep pushing the latest version.

      I think it’s the other way around – people installing ccleaner were finding that it was also installing avast through a ticked option in the installer. But those without avast were still finding ccleaner getting updated silently to 5.46 and two new tasks being created in the scheduler. I think they learnt their lesson but this along with turning on telemetry by default is the definition of malware and can no longer be trusted. I have also used avast for years and have had no problems with the basic installation and none of the bloat but it’s certainly made me think twice whether i want anything to do with them. I’m surprised you moved to kaspersky though, i trust them far less than avast!

      • This reply was modified 1 month ago by
         T.
      • This reply was modified 1 month ago by
         T.
      • #343093 Reply

        anonymous

        I am not sure I trust Avast or Kaspersky completely.

        Avast has the biggest percentage of the market but Kaspersky has better performance results.

        Both offer very good detection and usability.

        My personal opinion is Avast is more intrusive and this is why I gave them the flick.

        After removing Avast I still had to cleanup a remaining Schedule task manually.

      • #343117 Reply

        anonymous

        Not sure whether this happened yet but if the worry about Kaspersky is US government allegations of Russian government control, it seems Kaspersky are moving to Switzerland, user data will be stored in Switzerland and an third party will oversight. On paper, that sounds very good.

    • #343156 Reply

      Fred
      AskWoody Lounger

      Just don’t use Windows, OK?
      It costs money, it’s full of bugs, one cannot trust it………………

      2 users thanked author for this post.
      • #343174 Reply

        anonymous

        Some of us are wedded to it. A life without Windows is a pipe dream.

        1 user thanked author for this post.
      • #343177 Reply

        mn–
        AskWoody Lounger

        I’m fairly sure I’ve been to this argument before… Oh well.

        Full of bugs, well, most software is, these days. Partially a matter of overwhelming complexity. Differences are quantitative.

        Costs money is a funny thing – theoretically everything can be converted to monetary numbers… for businesses and such at least; so, differences are quantitative.

        Cannot trust, well, that’s the one part where you could theoretically come up with a qualitative difference. I suppose something like OpenBSD is both small enough and considered trustworthy enough that a light audit of the entire base system would be doable… but if you’re a business and not a government or other religious/ethical/other principle-based institution, it too can be converted to monetary numbers.

        So, feel free to do Total Cost of Ownership calculations again, with the interesting bits being monetary values of trustworthiness and risk management.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Just don’t use WinRAR, OK?

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information: