WinRAR security flaw ignores Windows Mark of the Web security warnings

News
By published

Don't worry–it's been patched now, but old versions will remain vulnerable.

WinRAR bag
(Image credit: tern_et, via X)

WinRAR has been a staple in the PC community for decades, offering the ability to compress data into compact files for easier transfer. With that, however, comes the occasional security concern, and today we have an example of just such a situation. Reports have begun to circulate, highlighting an issue in all but the latest edition of WinRAR that enable software to execute without the Windows Mark of the Web (MotW) security warning pop-ups.

If you aren't familiar with the MotW warnings, you might recognize them as the pop-ups that warn you against running strange software from the internet. It typically includes a blurb explaining that it's dangerous to execute applications downloaded from unfamiliar sources, and includes both an option to continue regardless or to cancel the operation entirely. This system can apparently be skipped over entirely in older versions of WinRAR, making for a greater security risk.

The official release notes for version 7.11 confirm that this vulnerability has been nullified and goes on to detail the fixed issue. The notes state, "if symlink pointing at an executable was started from WinRAR shell, the executable Mark of the Web data was ignored." As long as you update to the latest version, this security flaw shouldn't be an issue.

WinRAR confirmed that the security flaw was identified by Shimamine Taihei of Mitsui Bussan Secure Directions, Inc. The concern was reported directly to the WinRAR team who were able to tackle the issue and resolve it by the time version 7.11 was released. In the report, the issue was described, "If a symbolic link specially crafted by an attacker is opened on the affected product, arbitrary code may be executed."

It's important to note that while this security flaw requires users to manually open links to initiate potential attacks, it still increases the security risk by skipping the pop-up Windows warning system entirely. The MotW system is just an extra layer, warning users before they execute suspicious code, to help stop malware from automatically propagating. However, the MotW pop-ups can be a crucial step in mitigating the spread of unwanted software. It's best to update your version of WinRAR to the latest version to avoid any potential mishaps going forward.

TOPICS
Ash Hill
Ash Hill
Contributing Writer

Ash Hill is a contributing writer for Tom's Hardware with a wealth of experience in the hobby electronics, 3D printing and PCs. She manages the Pi projects of the month and much of our daily Raspberry Pi reporting while also finding the best coupons and deals on all tech.

More about software
Microsoft Copilot bar on a nature scene.

Microsoft celebrates its 50th anniversary by letting Copilot see what you see
Copilot

Microsoft Copilot is now fully integrated with Windows 11 and Windows 10
Asus RX 9070 XT

AMD RX 9070 vBIOS flash offers up-to 20% performance boost — modders claim OC beats 9070 XT
See more latest
9 Comments Comment from the forums
  • setx
    Windows' Mark of the Web is stupid idea in the first place. If user downloaded something and clicked to run it, he would select 'Yes' in that pseudo-security dialog.

    help stop malware from automatically propagating
    That's nonsense: if your browser automatically executes automatically downloaded stuff then your system is already compromised.
    Reply
  • COLGeek
    No politics, including attacks of that nature on each other. Stick to the tech topic, please.

    Thank you.
    Reply
  • ezst036
    I personally find it shocking that people are paying for a compression program when so many free ones are available.

    The resistance of RAR here truly breaks a lot of rules.
    Reply
  • AkroZ
    Popups are not a security feature, many users close them unconciously, this happen often when I help users:
    Helper: There was a message, do you known its content ?
    User: What message ?
    Helper: There was a popup that you closed immediatly.
    User: I didn't do anything, there was no popup.
    Helper: I have seen it, redo the action.
    User: here, no popup.
    Helper: you closed it again...
    Reply
  • Exploding PSU
    AkroZ said:
    Popups are not a security feature, many users close them unconciously, this happen often when I help users:
    Helper: There was a message, do you known its content ?
    User: What message ?
    Helper: There was a popup that you closed immediatly.
    User: I didn't do anything, there was no popup.
    Helper: I have seen it, redo the action.
    User: here, no popup.
    Helper: you closed it again...

    I feel like I've been so desensitised with so many bogus / extraneous popups over the years that hitting "X" whenever something pops up has become second nature... Even I'm guilty of this..
    Reply
  • Amdlova
    Winrar it's not free? For years I have close the Popup begging to buy IT
    Reply
  • qwertymac93
    AkroZ said:
    Popups are not a security feature, many users close them unconciously, this happen often when I help users:
    Helper: There was a message, do you known its content ?
    User: What message ?
    Helper: There was a popup that you closed immediatly.
    User: I didn't do anything, there was no popup.
    Helper: I have seen it, redo the action.
    User: here, no popup.
    Helper: you closed it again...
    7zip ignores motw entirely by default for this reason. It took ages for the author to add optional motw support at all because he thought it was stupid from the start.
    Reply
  • Heiro78
    setx said:
    Windows' Mark of the Web is stupid idea in the first place. If user downloaded something and clicked to run it, he would select 'Yes' in that pseudo-security dialog.


    That's nonsense: if your browser automatically executes automatically downloaded stuff then your system is already compromised.
    I don't understand, isn't this article talking about a problem if an executable is started within winrar before extraction?

    Do people really do that?
    Reply
  • alceryes
    ezst036 said:
    I personally find it shocking that people are paying for a compression program when so many free ones are available.

    The resistance of RAR here truly breaks a lot of rules.
    I paid for a single user license 25 years ago. I'm gonna get my money's worth, damn it! ;)

    For me, it actually is useful. Not more or less so than other free programs, but now it's the familiarity I enjoy. I also don't hook it into Explorer's R-click menu. The whole WinRAR MotW being ignored was known over a month ago. There are a dozen other articles discussing it. TH late to the party...?
    Reply
Most Popular
Asus RX 9070 XT
AMD RX 9070 vBIOS flash offers up-to 20% performance boost — modders claim OC beats 9070 XT
SMIC
China's rare earth export restrictions threaten global chipmaking supply chains
AMD RDNA 4 and Radeon RX 9000-series GPUs
Nvidia engineer breaks and then quickly fixes AMD GPU performance in Linux
HDMI
China launches HDMI and DisplayPort alternative — GPMI boasts up to 192 Gbps bandwidth, 480W power delivery
Delidding AMD chips, testing performance differences
Delidded AMD Ryzen 9 9950X3D runs 23 degrees cooler
PhysX
Nvidia's PhysX and Flow go open source — Running legacy PhysX on RTX 50 may be possible using wrappers
Melted RTX 5090 connector
Another RTX 5090 connector melts down, reportedly taking a PSU with it
AMD MI200 supercomputer node rendering
AMD sets new supercomputer record, runs CFD simulation over 25x faster on Instinct MI250X GPUs
Quake II Demo
You can now play a real-time AI-rendered Quake II in your browser — Microsoft's WHAMM offers generative AI for games
Vaio laptop
Vaio touts 'tariff free' inventory for sale — Intel-powered laptops on sale while supplies last