|
|
|
|
|
|
|
|
|
WinRAR 6.02 final version released
With the final release of WinRAR 6.02, we continue our constant development of the world’s leading compression and archive management software: WinRAR. The update introduces important security improvements as well as usability enhancements and bug fixes.
Security-related improvements
We have improved the handling of malformed ZIP SFX archives. The ZIP SFX module refuses to process SFX commands stored in the archive comment if such a comment is displayed after the beginning of the Authenticode digital signature. This is to prevent potential attacks by inclusion of a ZIP archive into the signature body. We already prohibited extracting contents of such malformed archives in WinRAR 6.01 and would like to thank Jacob Thompson from Mandiant Advantage Labs for reporting this issue, which is now fixed.
WinRAR also uses HTTPS instead of HTTP from now on for its web notification window, home page and themes links. We have implemented additional checks to make the web notifier more robust against potential threats. Such attacks are only possible if the intruder has managed to spoof or otherwise control a user's DNS records. It also involves some other factors in limiting the practical application of this attack. We would like to express our gratitude to Igor Sak-Sakovskiy for bringing this issue to our attention.
Usability improvements
You can find usability enhancements in several areas. Error messages thrown by SFX archives now display more detailed error information. In the past, such extended error information was only available in WinRAR but not in SFX archives. For example, such archives would previously display a "Cannot create file" message. In WinRAR 6.02, a detailed description follows this message, such as "access denied" or "file in use", when possible.
In addition, WinRAR now displays the name of the file to be unpacked in the WinRAR warning in case of a wrong password used for RAR5 archives. This can be helpful when unpacking a non-solid archive containing files encrypted with different passwords.
We have also made some usability enhancements for the command line mode. For example, the switch -idn now also hides archived names in 'v' and 'l' commands. This can be useful if you only need the archive type or total information.
As usual, we have also fixed a few bugs that appeared during the usage of WinRAR to provide all users with a stable, bug-free version.
Complete list
1. ZIP SFX module refuses to process SFX commands stored in archive
comment if such comment is resided after beginning of Authenticode
digital signature. It is done to prevent possible attacks with
inclusion of ZIP archive into the signature body.
We already prohibited extracting contents of such malformed archives
in WinRAR 6.01.
We are thankful to Jacob Thompson - Mandiant Advantage Labs
for reporting this issue.
2. WinRAR uses https instead of http in the web notifier window,
home page and themes links. It also implements additional checks
within the web notifier. This is done to prevent a malicious web page
from executing existing files on a user's computer. Such attack
is only possible if the intruder has managed to spoof or otherwise
control user's DNS records. Some other factors are also involved
in limiting the practical application of this attack.
We would like to express our gratitude to Igor Sak-Sakovskiy
for bringing this issue to our attention.
3. Where appropriate, SFX archive displays the additional line
with detailed error information provided by operating system.
For example, previously such archive would display "Cannot create file"
message alone. Now this message is followed by a detailed reason
like access denied or file being used by another process.
In the past this extended error information was available in WinRAR,
but not in SFX archives.
4. Switch -idn hides archived names also in 'v' and 'l' commands.
It can be useful if only the archive type or total information
is needed.
5. If -ibck -ri switches are used together, WinRAR process
sets the priority specified in -ri switch. Previous versions ignored
-ri and set the priority to low in the presence of -ibck switch.
6. When using "File/Change drive" command, WinRAR saves the last folder
of previous drive and restores it if that drive is selected again
later.
7. Name of unpacking file is now included into WinRAR incorrect password
warning for RAR5 archives. It can be helpful when unpacking
a non-solid archive containing files encrypted with different passwords.
8. Bugs fixed:
a) "Convert archives" command issued erroneous "The specified password
is incorrect" message after succesfully converting RAR archive
with encrypted file names if new password was set and archive
was opened in WinRAR shell;
b) if command progress window was resized up and then quickly resized
down to original dimensions, window contents could be positioned
incorrectly.
© Copyright 2000-2022 COGITO SOFTWARE CO.,LTD. All rights reserved
