> The exploit abused that feature to trigger a previously unknown path traversal flaw that caused WinRAR to plant malicious executables in attacker-chosen file paths %TEMP% and %LOCALAPPDATA%, which Windows normally makes off-limits because of their ability to execute code.
This seems... wrong? Isn't %LOCALAPPDATA% commonly used to store executables for programs that want to install for a single user and not the whole computer? An example of which includes Google Chrome?
The exploit abuses ADSes with ..\ in the name to drop files on the system that aren't visible in the WinRAR file browser. It drops malware in the temp directory and then a .lnk in the Startup directory to activate an attack against COM, influencing the DLL that's being loaded by legitimate applications.
> This seems... wrong? Isn't %LOCALAPPDATA% commonly used to store executables for programs that want to install for a single user and not the whole computer? An example of which includes Google Chrome?
%LocalAppData% is for files you wouldn't want to synchronize across multiple computers using the same account. Installed programs squarely fall into that category, even just based on size. %AppData% is also commonly used to install executables, but I'd consider that a bug. Just like putting your cache dir in %appdata% instead of %localappdata%
The docs for the toolchain he implemented (https://github.com/taviso/rarvmtools) allude to a number of bugs, but doesn't sound (??) like they're related to this vulnerability.
The VM has long since been torn out of the RAR decompressor. These days, when it finds a file containing bytecode, it just hashes the bytecode and matches it against a few hardcoded routines that existed at the time.
Sounds like a good ingredient for a CTF or other puzzle. It could be a small obfuscation where player has to install an ancient version with the VM, or get crazier with a byecode hash collision or abusing undocumented VM quirks.
> WinRAR, a utility for compressing files, and has an installed base of about 500 million.
Yeah, right.
Edit: this figure is possibly taken from the WinRAR website [1]. It is more likely that there have been that many cumulative downloads, and even that seems to be a high number. Given that Windows has .zip file support built-in for quite some time, and the fact that nearly nobody downloads .zip files anymore, makes me very suspicious of this kind of statistic.
Until very recently Windows could not natively unarchive .rar files and you needed to download WinRAR to be able to do this. I still find it not terribly uncommon to run into a random .rar file that previously would have meant I needed to install it, even if I only used it once.
> and the fact that nearly nobody downloads .zip files anymore
Citation needed? Why would people not be downloading .zip files anymore?
You can't get a citation for this, and I must admit that this was a bit of a hyperbole.
Still, I sincerely believe that in a typical year, a typical user runs into zero or one .zip files. Of course there are exceptions, but these power users do not make up a large part of the population. Facebook and Instagram are not shipped in .zip format for a reason.
Here are some numbers to think about:
According to Microsoft, there are ~1.4 billion devices that run Windows 10 or Windows 11 [1]. Apparently, there are some 200 million additional devices that run older versions of Windows [2].
Now, I could hypothetically ask my mom and dad, and find out that only one of them knows what a .zip file is. The other has not heard of .rar. I don't think I myself am a typical user, but I do know .rar, and I do not even have WinRAR installed.
That leaves me to conclude that it is very, very, unlikely that 31% of all Windows users has WinRAR installed.
I haven't downloaded it in 10 years or more, but I know I've downloaded it (and WinZip) a few dozen times. Back in the day I even had a paid license.
I do reject the idea that "nearly nobody downloads .zip files anymore". It's still pretty common. Crafters using Cricuts and engravers regularly download zip files of fonts, etc. Fedex/UPS package up invoices of a certain size, or consolidated billing accounts, in zip files. Etc.
Sort of, the "zip folder" thing was introduced with the "98 Plus!" pack, but came natively with XP. That said, "natively supported in Windows" is one thing, but the usability was... well, not great. The entire "it's a compressed folder!" analogy seems reasonable, but the implementation wasn't. It ate memory like few other components, crashed often, and because it was treated like a folder only in file explorer the analogy quickly broke down when using a file picker anywhere else. WinZIP and WinRAR were basically requirements if you often worked with zip archives until 7zip came along and did everything just a tad better.
While I know that WinRAR has some die-hard user bases, I have never been sure who their paying user base is. Are there some companies that are completely dependent on WinRAR for some internal processes?
I'm one of their paying user base. To me WinRAR is like the VLC of archives. I can throw almost anything at it and it will work. Other compression tools, not so much. I'm also a fan of giving money to small, independent developers.
I remember RAR being popular in the early 00's but when 7-zip started becoming a thing I switched to that, and then I rarely saw .RAR's.
RAR seemed to handle large collections of files better on Windows than .zip back in the day, and it had a few features that .zip didn't, so it was something I typically installed on like Windows XP and such back then. But I'm not sure why anyone would use it over 7-zip today unless you have massive numbers of old .RAR files laying around.
I did work for a company that actually licensed WinZip because it was easier to use than the default Windows interface for .zip files.
> Given that Windows has .zip file support built-in for quite some time, and the fact that nearly nobody downloads .zip files anymore, makes me very suspicious of this kind of statistic.
Windows has _some_ .zip file support. Winrar is usually used for rar files. Zip files are still used (docx xlsx and pptx are zip files).
winrar has been around since I was in high school...21+ years
500 million downloads isn't unreasonable during that time frame
real question is: how many windows boxes are up right now and how many have winrar installed
rar is super popular in China, because for a long time (and still with many modern implementations) it is much better at preserving Chinese filenames in Windows than zip.
Readit News
This seems... wrong? Isn't %LOCALAPPDATA% commonly used to store executables for programs that want to install for a single user and not the whole computer? An example of which includes Google Chrome?
The exploit abuses ADSes with ..\ in the name to drop files on the system that aren't visible in the WinRAR file browser. It drops malware in the temp directory and then a .lnk in the Startup directory to activate an attack against COM, influencing the DLL that's being loaded by legitimate applications.
Maybe you're thinking of %AppData%?
>By default, VS Code is installed under C:\Users\{Username}\AppData\Local\Programs\Microsoft VS Code.
https://code.visualstudio.com/docs/setup/windows
%appdata% would be C:\Users\{Username}\AppData\Roaming
The docs for the toolchain he implemented (https://github.com/taviso/rarvmtools) allude to a number of bugs, but doesn't sound (??) like they're related to this vulnerability.
Yeah, right.
Edit: this figure is possibly taken from the WinRAR website [1]. It is more likely that there have been that many cumulative downloads, and even that seems to be a high number. Given that Windows has .zip file support built-in for quite some time, and the fact that nearly nobody downloads .zip files anymore, makes me very suspicious of this kind of statistic.
[1] https://www.win-rar.com/
Until very recently Windows could not natively unarchive .rar files and you needed to download WinRAR to be able to do this. I still find it not terribly uncommon to run into a random .rar file that previously would have meant I needed to install it, even if I only used it once.
> and the fact that nearly nobody downloads .zip files anymore
Citation needed? Why would people not be downloading .zip files anymore?
Still, I sincerely believe that in a typical year, a typical user runs into zero or one .zip files. Of course there are exceptions, but these power users do not make up a large part of the population. Facebook and Instagram are not shipped in .zip format for a reason.
Here are some numbers to think about:
According to Microsoft, there are ~1.4 billion devices that run Windows 10 or Windows 11 [1]. Apparently, there are some 200 million additional devices that run older versions of Windows [2].
Now, I could hypothetically ask my mom and dad, and find out that only one of them knows what a .zip file is. The other has not heard of .rar. I don't think I myself am a typical user, but I do know .rar, and I do not even have WinRAR installed.
That leaves me to conclude that it is very, very, unlikely that 31% of all Windows users has WinRAR installed.
[1] https://blogs.windows.com/windowsexperience/2025/06/24/stay-...
[2] https://jitendra.co/how-many-windows-users-are-there-in-the-...
Deleted Comment
Deleted Comment
I do reject the idea that "nearly nobody downloads .zip files anymore". It's still pretty common. Crafters using Cricuts and engravers regularly download zip files of fonts, etc. Fedex/UPS package up invoices of a certain size, or consolidated billing accounts, in zip files. Etc.
Dead Comment
I think Windows 11 got native RAR and 7Z support recently but I'm not sure what libraries it uses for this.
At this point you lost my attention.
RAR seemed to handle large collections of files better on Windows than .zip back in the day, and it had a few features that .zip didn't, so it was something I typically installed on like Windows XP and such back then. But I'm not sure why anyone would use it over 7-zip today unless you have massive numbers of old .RAR files laying around.
I did work for a company that actually licensed WinZip because it was easier to use than the default Windows interface for .zip files.
In aa world where 7zip exists, most likely not.
Windows has _some_ .zip file support. Winrar is usually used for rar files. Zip files are still used (docx xlsx and pptx are zip files).
I'd still bet it's Usenet users that installed WinRAR way back when and have stuck to it ever since
Why people use it over .7z though? For that, I have no idea.