WinRAR is a popular commercial archive creation and extraction program, best known for supporting the RAR archive format.

 

WinRAR 6.02 was released earlier today and is available for download on the official website already. The update introduces important security improvements as well as other non-security related improvements and bug fixes.

 

A click on Help > About WinRAR displays the installed version on the device.

 

 

The official WinRAR 6.02 changelog lists two security-related improvements. The application uses HTTPS instead of HTTP from now on for its web notification window, home page and themes links. Additional checks have been implemented to make the web notifier more robust against potential threats.

 

An attacker needed to use advanced attacks that involved spoofing or gaining control over the DNS settings of a device, but would be able to use malicious webpages to execute existing files on a user system, if executed correctly. The move to HTTPS prevents this attack scenario entirely.

 

The second security-related change improves the handling of malformed archives. WinRAR 6.01 prevented the extraction of contents already, but WinRAR 6.02 improves that by refusing to process SFX (self-extracting) commands stored in archive comments if the comments reside after the beginning of the Authenticode digital signature; this is done to prevent attacks that abuse the loophole.

 

On the usability side, improvements are found in several areas. Error messages thrown by SFX archives will provide users with additional information in WinRAR 6.02. Previously, errors stated "cannot create file" only, which did not reveal the reason for the error. In WinRAR 6.02, the error will provide details, such as "access denied" or "file in use" when possible.

 

WinRAR did support the information for regular archives previously, but not for SFX archives; this changes with the release of WinRAR 6.02. Another useful addition is that the name of the unpacked file is now included in error messages related to incorrect passwords.

 

The release addresses two bugs. One fixes an issue that would see the error "The specified password is incorrect" thrown, despite that operations would complete successfully.

 

You can check the full changelog to find out about the second bug fix and several improvements to command line switches.

 

Now You: do you use WinRAR or another archiver?