Battle WinRar or 7Zip? What's your favourite?

Frib004

Level 2
Verified
Nov 17, 2018
78
Use Languagetool extension. When you write in English on MT, it corrects your spelling and basic grammar mistakes. I've been using the free version for 2 years. It helps!
Nice tool. Special for me, because I'm learning English.;)
 

Thiagoo

Level 3
May 10, 2021
66
Winrar. 7zip has really terrible security practices, nonexistent exploit mitigation and it doesn't even respect MOTW. Many security researchers describe how security issues they report are simply ignored by the 7-zip developer for years. The cryptography used is another mess entirely

It's far better to just pay for winrar to get rid of the ads than to use 7-zip

WinRAR had a 19 year old unpatched code execution vulnerability on it though. (.ACE)

“We found a logical bug using the WinAFL fuzzer and exploited it in WinRAR to gain full control over a victim’s computer,” said Nadav Grossman with Check Point in the analysis. “The exploit works by just extracting an archive, and puts over 500 million users at risk. This vulnerability has existed for over 19 years(!) and forced WinRAR to completely drop support for the vulnerable format.”
 

Thiagoo

Level 3
May 10, 2021
66
Fixing vulnerabilities doesn't make your software any more secure. Security is good design, not fixing security vulnerabilities themselves
If WinRAR team had the source code for the DLL (compiled in 2006, no ASLR or DEP) that was used to extract .ACE files (or just didn't add it to the software as they can't maintain it over the years), 500 million users wouldn't be in danger. This is a big design flaw.

Source:
WinRAR used this third party library to unpack ACE archives.
UNACEV2.DLL had not been updated since 2005 and we do not have access to its source code.
So we decided to drop ACE archive format support to protect security of WinRAR users.
 

Thiagoo

Level 3
May 10, 2021
66
I don't see any real design flaw there. It's probably the case that someone else added the code in and it was forgotten about over the years. This also doesn't argue for 7-zip being secure when it isn't

Again, everything is going to have flaws.
Everything has flaws, sure, but there's an huge difference: one is open source; someone can fork their code and fix the problems and WinRAR is proprietary code; you'll need to rely on a team that "forgot" patching a almost 2 decades old vulnerability. There is no "fallacy" here, it's facts.
 

Thiagoo

Level 3
May 10, 2021
66
Open source is just a development model. It doesn't fix any security bugs. If anything, proprietary software developers aren't incompetent and often end up writing better code (it depends)


Reverse engineering is also no harder than just reading the code

Similar decade old bugs are found everywhere. Even in security focused projects like windows, android, iOS and the like. It doesn't really mean much
From the article:
Open source means that the code is available for security evaluation, not that it necessarily has been evaluated by anyone. This is an important distinction.
It's a 50/50 chance of someone finding it and reporting it, and with proprietary code this is all up to the development team. I'm not saying WinRAR devs are incompetent, but i'd say they are incautious for letting something like this happen and knowing that the code is not shared with anyone not even themselves. Systems like Windows, Android, iOS has huge chunks of critical code on their kernel, so this will happen at any time, but WinRAR only had a single outdated DLL that caused all of this.
 
Last edited:

Thiagoo

Level 3
May 10, 2021
66
There is no 50/50 chance of finding a bug. Most bugs in open source are not really that easy to find. There are even yearly competitions to introduce such bugs intentionally. You are just jumping to conclusions without reading the article correctly

Open source by definition cannot make software secure, private, stable or trustworthy or even guarantee that someone will be able to fix bugs. It is merely a development model and cannot do anything of what you claim it does


If you really think open source makes finding bugs easier then clearly you haven't tried finding an issue yourself. Entire teams can review open source code for years and miss obvious wrong code. I also like how you conveniently ignore what I said about reverse engineering in that reverse engineering is no different or harder from simply reading the source. How do you think checkpoint researchers found this bug? They reverse engineered winrar. How do you think windows malware is written? Malware authors reverse engineer windows code and how is it that you think vulnerability researchers verify Microsoft fixes vulnerabilities? They too reverse engineer windows code to make sure. How do you think me_cleaner and other projects documented the HAP bit? They reverse engineered the intel ME. Reverse engineering is no different from just reading source code in most cases and the whole thing about proprietary being impossible to fix somehow is just propaganda. Often for open source projects too it is the case that the source code is useless and compiled binaries need to be reversed to find bugs even if there are reproducible builds. Classic examples of this are memset calls or anything the compiler feels it can optimise away. Even mods that completely change the behaviour of your game are all by people reverse engineering code. There is nothing that stops a hobbyist from simply reversing winrar code and patching it themselves. How do you think crackers crack software? They too reverse engineer and you can see clear proof that they can alter whole program behaviour here
They didn't reverse engineer WinRAR itself.
Both of these functions required structs that are unknown to us. We had two options to try to understand the unknown struct: reversing and debugging WinRAR, or trying to find an open source project that uses those structs.

The first option is more time consuming, so we opted to try the second one. We searched github.com for the exported function ACEInitDll
and found a project named FarManager that uses this dll and includes a detailed header file for the unknown structs.
Note: The creator of this project is also the creator of WinRAR.
They just did debugging on the DLL to find the exploit. I used the 50/50 example because it's not possible to tell the real chances, there's a lot of factors.

Open source is not going to make a software secure, private, stable or trustworthy, but i'll just repeat WinRAR team words:
UNACEV2.DLL had not been updated since 2005 and we do not have access to its source code.
Would you add a code to your software that can be potentially vulnerable to exploits without access to it? No, right? Another weird thing is that WinACE website (maintainer and creator of the .ACE extension) is down since 2017, and not maintaned since 2007.

I respect your view on this, but i just can't see what's so special on WinRAR in terms of security.
 

Thiagoo

Level 3
May 10, 2021
66
You are quoting just one single vulnerability and using that as an example to show how entire software is insecure due to one bad component. All of this while ignoring the innumerable design flaws that make 7z inherently more exploitation friendly

If fixing security vulnerabilities doesn't make software secure then does finding them mean software is insecure? I don't think so. Security vulnerabilities have never been a measure of how secure software is. It's only a measure of how many security researchers are lobbying and actively working to push one. Out of the 1000 bugs that every software update fixes, for all you know 60% of those might be fixing a security issue without even you or the developer realising. Vulnerability counts are a really useless metric of anything other than human greed
The vulnerability itself is not the problem, the problem here is the time it took to be fixed and how it could get fixed from day 0 (common sense, would you give your credit card to a stranger even when you don't know who is he?).

Anyways, if you think WinRAR is safe, use it, you can install whatever you want on your PC, i don't really care. I just don't think it's safe.
 

Thiagoo

Level 3
May 10, 2021
66
You not thinking or thinking something doesn't change reality. It isn't my opinion that winrar is safe, I've done at least some research before making any claims

There are many cases of vulnerabilities being undetected for several years A Windows Defender Vulnerability Lurked Undetected for 12 Years and winrar is no different in that regard

What you don't seem to understand is that I haven't said that winrar is the most secure option around. I've only said that the security is significantly better than that of 7-zip

Saying that a vulnerability could get fixed on day 0 is just your own lack of understanding on what the problem really was. That's just not how things work. Do some actual research instead of pointlessly arguing

Edit: also kind of interesting how you again choose to selectively ignore 7-zip's anti-security stances

What you don't seem to understand is that I haven't said that winrar is the most secure option around. I've only said that the security is significantly better than that of 7-zip
And i disagree, hence the fact i'm debating.


Edit: also kind of interesting how you again choose to selectively ignore 7-zip's anti-security stances
And looks like you're not reading what i've said before:
"Everything has flaws, sure"...
7-zip has flaws, but it's not a huge mess like this one.


Saying that a vulnerability could get fixed on day 0 is just your own lack of understanding on what the problem really was. That's just not how things work. Do some actual research instead of pointlessly arguing
Putting code on your software that you don't have access to is not a good idea. The team could atleast remove .ACE after it stopped being maintaned in order to reduce some years of damage, but they probably just did choose keeping the feature over security. And i forgot to mention that .ACE files can be disguised as .RAR files too.

If you think i'm pointlessly arguing, good for you. My opinion stays the same, WinRAR is not safe.


I've done at least some research before making any claims
You should also research what i've said until now.


There are many cases of vulnerabilities being undetected for several years A Windows Defender Vulnerability Lurked Undetected for 12 Years and winrar is no different in that regard

This specific vulnerability was caused by a driver that doesn't always run on your HDD. And again, it's a completely different case as i said before.
"The researchers hypothesize that the bug stayed hidden for so long because the vulnerable driver isn't stored on a computer's hard drive full-time, like your printer drivers are. Instead, it sits in a Windows system called a “dynamic-link library,” and Windows Defender only loads it when needed. Once the driver is done working, it gets wiped from the disk again."

Systems like Windows, Android, iOS has huge chunks of critical code on their kernel, so this will happen at any time, but WinRAR only had a single outdated DLL (that could get avoided easily) that caused all of this.

I'm not replying to this again as this discussion will probably lead to nowhere. If you want to use WinRAR, use it. If you want to use 7-zip, use it too. I don't want to repeat every single word i've said here.
 
  • Like
Reactions: cryogent and Nevi

Thiagoo

Level 3
May 10, 2021
66
Reading my comments again, i guess anupritaisno is actually right in a security perspective. Vulnerabilities is not a big parameter to define a software security, as everything has vulnerabilities coming from low risk to severe, and open source obviously doesn't mean everyone will inspect the code and fix the flaws. As i'm not a professional i should always try to expand my knowledge and acknowledge my errors, so please disconsider my previous comments if you're reading them.
 
Last edited:

Deletedmessiah

Level 25
Verified
Top Poster
Content Creator
Well-known
Jan 16, 2017
1,469
Winrar. 7zip has really terrible security practices, nonexistent exploit mitigation and it doesn't even respect MOTW. Many security researchers describe how security issues they report are simply ignored by the 7-zip developer for years. The cryptography used is another mess entirely

It's far better to just pay for winrar to get rid of the ads than to use 7-zip

Does winrar support MOTW?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top