WinRAR 6.02


Level 83
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
Version 6.02

1. ZIP SFX module refuses to process SFX commands stored in archive
comment if such comment is resided after beginning of Authenticode
digital signature. It is done to prevent possible attacks with
inclusion of ZIP archive into the signature body.

We already prohibited extracting contents of such malformed archives
in WinRAR 6.01.

We are thankful to Jacob Thompson - Mandiant Advantage Labs
for reporting this issue.

2. WinRAR uses https instead of http in the web notifier window,
home page and themes links. It also implements additional checks
within the web notifier. This is done to prevent a malicious web page
from executing existing files on a user's computer. Such attack
is only possible if the intruder has managed to spoof or otherwise
control user's DNS records. Some other factors are also involved
in limiting the practical application of this attack.

We would like to express our gratitude to Igor Sak-Sakovskiy
for bringing this issue to our attention.

3. Where appropriate, SFX archive displays the additional line
with detailed error information provided by operating system.

For example, previously such archive would display "Cannot create file"
message alone. Now this message is followed by a detailed reason
like access denied or file being used by another process.

In the past this extended error information was available in WinRAR,
but not in SFX archives.

4. Switch -idn hides archived names also in 'v' and 'l' commands.
It can be useful if only the archive type or total information
is needed.

5. If -ibck -ri<priority> switches are used together, WinRAR process
sets the priority specified in -ri switch. Previous versions ignored
-ri and set the priority to low in the presence of -ibck switch.

6. When using "File/Change drive" command, WinRAR saves the last folder
of previous drive and restores it if that drive is selected again

7. Name of unpacking file is now included into WinRAR incorrect password
warning for RAR5 archives. It can be helpful when unpacking
a non-solid archive containing files encrypted with different passwords.

8. Bugs fixed:

a) "Convert archives" command issued erroneous "The specified password
is incorrect" message after succesfully converting RAR archive
with encrypted file names if new password was set and archive
was opened in WinRAR shell;

b) if command progress window was resized up and then quickly resized
down to original dimensions, window contents could be positioned
Source: WinRAR archiver, a powerful tool to process RAR and ZIP files

Download: WinRAR archiver, a powerful tool to process RAR and ZIP files


Level 83
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014

WinRAR 6.02 update includes security improvements​

The official WinRAR 6.02 changelog lists two security-related improvements. The application uses HTTPS instead of HTTP from now on for its web notification window, home page and themes links. Additional checks have been implemented to make the web notifier more robust against potential threats.

An attacker needed to use advanced attacks that involved spoofing or gaining control over the DNS settings of a device, but would be able to use malicious webpages to execute existing files on a user system, if executed correctly. The move to HTTPS prevents this attack scenario entirely.

The second security-related change improves the handling of malformed archives. WinRAR 6.01 prevented the extraction of contents already, but WinRAR 6.02 improves that by refusing to process SFX (self-extracting) commands stored in archive comments if the comments reside after the beginning of the Authenticode digital signature; this is done to prevent attacks that abuse the loophole.