https://arstechnica.com/security/2025/08/high-severity-winrar-0-day-exploited-for-weeks-by-2-groups/

 

Damn, that's some serious luck I had upgrading from v6.XX directly to v7.13 like 10 days ago...

 

This is one of the things about WinRAR that I do like: it does not check for updates and constantly nag you for a daily update of sorts. I mean, the software is decades old, there's very little to fix or improve, and for those you'll get a major version bump.

But at the same time, I do wish there would be an option to check for security updates. That should be a given on any connected computer.

Give me security updates, ignore the rest of the bullshit.

 

No wonder I used 7zip, does that automatically check for updates?

 

To my knowledge, no. PeaZip might, that's what all the cool kids use (hence I don't). Under Windows I mean, on Linux 7zip should come from the package manager and is updated whenever system packages are updates. No clue about Mac archivers.

But that's kind of beside the point: this security issue is Windows only, as it is about Windows path handling. And only those applications that use Unrar.dll (or the unrar source code I suppose), to my knowledge 7zip etc. are safe from this.

 

Pretty much all these exploits fall under the policy of general computer usage CYA. Most of the attacks are Email sourced and require boneheaded acts on the part of the operator of the local machine in order to launch the crap onto the target system. Your Email should be getting scanned for stuff like executables and scripts in real time by your A/V (not defender) which should knock down 99% of stuff like this...

 

And this is why I use.....

1. 7zip
2. Uharc

 

I use keka on Mac and that gets the occasional update, whether I find it or not, so maybe I should go to the 7zip download page and give it an update just in case?

 

Well, updating can't hurt. But this is a Windows problem here, it doesn't affect Macs.