WinRAR has a critical security bug: here is the fix

WinRAR is a very popular software to create and extract archives on Windows and other supported operating systems. Part of its popularity comes from its support for different types of packing formats, another that the software’s trial version never expires.

A bug was discovered recently that affects all versions of WinRAR prior to 5.70. The bug, a remote code execution vulnerability, affects all WinRAR versions and thus all 500 million users that use the application.

Security researchers discovered a flaw in a library that WinRAR uses to extract files from archives packed with the ACE format.

Attackers can exploit the vulnerability by pushing specially prepared archives to user systems. The bug can be abused to extract the files into any folder on the system instead of the folder selected by the user or the default folder for extracted files.

Tip: Find out how to repair and extract broken WinRAR archives.

Attackers could select to extract files to Windows’ startup folder so that programs are executed on the next start of the system.

The researchers published a video that demonstrates the exploit.

WinRAR uses the content of the file to determine the archive format that was used to compress the files; means, it is not enough to avoid any ACE files for the time being. Attackers could rename ACE files to RAR or ZIP, and WinRAR would handle them just fine.

The library that is responsible for the behavior is UNACEV2.DLL. The maker of WinRAR removed the file from the latest Beta version of WinRAR 5.70. Users can upgrade to the Beta version to protect their devices from the security issue.

winrar issue

Policies may prevent the installation of Beta software on devices, and some Home users might not want to install Beta software either on their computer systems.

These users and administrators may delete the vulnerable file, UNACEV2.DLL from the WinRAR directory to protect the device from the issue. Here is how that is done:

  1. Open Explorer on the Windows PC.
  2. Go to C:Program FilesWinRAR if you run a 64-bit version of WinRAR.
  3. Go to C:Program Files (x86)WinRAR if you run a 32-bit version of WinRAR.
  4. Locate the file UNACEV2.DLL and either rename it or delete it.
    1. To delete: select the file UNACEV2.DLL and delete it either with a right-click and the selection of Delete from the context menu, or by using the Del key on the keyboard.
    2. To rename: right-click on the file and select rename.
  5. Restart the PC.

Note: This removes the option to extract ACE files using WinRAR.

I could not find information on the popularity of the ACE format. I remember that it was quite popular (and controversial) more than a decade ago.

Now You: Do you use WinRAR? My favorite program is Bandizip right now. (via Hacker News)

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader. The post WinRAR has a critical security bug: here is the fix appeared first on gHacks Technology News.

Password Manager study highlights potential leak issues

What would the result be if you analyze how popular password managers protect sensitive information such as the master password or stored passwords; that’s what Independent Security Evaluators tried to find out in their analysis of five popular password managers running on Microsoft’s Windows 10 platform.

The paper Password Managers: Under the Hood of Secrets Management looked at how the password managers 1Password, Dashlane, KeePass and LastPass handle secrets, and if it is possible to retrieve sensitive information.

The researchers analyzed the three states “not running”, “unlocked state”, and “locked state”. Main conclusions were that all password managers protected data just fine in not running state.

Not running refers specifically to a session in which the installed password manager was not launched or terminated by the user after launch.

Locked state describes a state in which the master password has not been entered yet or in which the password manager was locked by the user or automatically.

The researchers discovered that all password managers leaked data in unlocked and locked state under certain circumstances. The password managers 1Password and LastPass leaked the Master Password in unlocked and locked state, Dashlane all stored records, and KeePass passwords and other sensitive information the user interacted with.

The researchers noted that all password managers were susceptible to keylogging or clipboard sniffing attacks.

How severe are the issues?

The discovered issues in the password managers sound very severe on first glance. The leaking of sensitive data is certainly an issue and some companies could certainly do better when it comes to that.

Good news is that the attacks require local access or access to a a compromised system to exploit the issue. It is additionally necessary to target the issue specifically which would only make sense for targeted attacks or if password usage increases to a point where it is lucrative enough to exploit the issue.

In the case of KeePass, the user would have to have interacted with password entries for them to be exposed in system memory.

The author of KeePass noted some time ago that the Windows operating system may create copies in memory that KeePass has no control over.

Windows and .NET may make copies of the data (in the process memory) that cannot be erased by KeePass.

Protection

keepass security

KeePass users can furthermore protect their data against attacks by making changes to the application’s preferences.

  1. Go to Tools > Options > Security.
  2. Check “Lock workspace after KeePass inactivity” and set it to the desired period, e.g. 300 seconds.
  3. Check “Lock workspace after global user inactivity (seconds)”, and set it to a desired period, e.g. 300 seconds.
  4. Make sure “Clipboard auto-clear time (seconds, main entry list)” is checked.
  5. Check the “Always exit instead of locking the workspace” option. The option terminates KeePass instead of locking it.

These settings close KeePass automatically on inactivity and protect all data from unauthorized memory snooping. The downside to that is that you need to restart the program when you require it again.

Check out my guide on improving KeePass security here.

KeePass users could also consider running KeePass in a sandbox, e.g. using Sandboxie, or virtual environment.

I don’t use the other password managers and cannot say whether they offer similar functionality.

Now You: Which password manager do you use?

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader. The post Password Manager study highlights potential leak issues appeared first on gHacks Technology News.

Ad blocking for the masses, part two: Adblock Browser

adblockbrowser_201509_feature

In part two of this series on the state of ad blockers, I take a look at a new product from a well-known company whose earlier product has been available for nearly a decade: Adblock Plus (ABP). Adblock Plus develops extensions for web browsers which can block tracking, malware sites, and, of course, ads.

Last week, ABP went beyond releasing extensions and launched a standalone Adblock Browser for Android and iOS that has built-in blocking capabilities. Before we take a look at the browser itself, it is worth noting ABP’s interesting (and some call it controversial) business model. ABP signs contracts with companies that agree to its acceptable ads guidelines. Ads from these companies are allowed to pass through the ABP ad filter.

In a 2014 interview, ABP lead investor Tim Schumacher said that only the largest companies pay for these contracts. “Adblock Plus has been experimenting with different models,” he said. “I can’t talk about specific contracts, but in some cases it was performance-based and in other cases it was more of a flat fee. More that 90% of companies don’t pay at all.”

adblockbrowser_ad_noad

The first thing you should know about the free Adblock Browser is that, unsurprisingly, it works better on recent devices with faster processors. For example, it ran slowly on an iPad 2 with a 32-bit processor in my tests. So, slow, in fact, that there is not much speed advantage to using Safari with ads displayed. However, on a iPhone 6+ with a faster 64-bit processor, Adblock Browser rendered the mostly ad-less web pages fast enough to be interesting and useful. On the Android side, I tested it using a Nexus 4 and Nexus 6.

adblockbrowser_2_moreblocking

Here’s the use case that makes Adblock Browser interesting and useful for me: I generally use Google’s own Chrome browser on Android devices and read web pages with ads. However, I often find interesting news items in my Google Now feed. And, some of the sources are either unfamiliar to me with possibly heavy handed ads or are from interesting sources with known heavy ads. So, I have links from Google Now handled by Adblock Browser.

A single ad blocking filter is selected by default: ABP’s own EasyList. ABP describes it as: “The EasyList subscriptions are lists of filters designed for Adblock Plus that automatically remove unwanted content from the internet, including annoying adverts, bothersome banners and troublesome tracking. The subscriptions are currently maintained by four authors.” You can use the Ad Blocking setting option to choose filters for other languages.

The “More blocking options” page lets you select options such as disabling tracking. Surprisingly, the option to disable malware domains is turned off by default.

adblockbrowser_3_nonintrusive

The “Acceptable Ads” option is turned on by default. As I noted earlier, this allows ads to be displayed from companies who sign a paid or free contract with ABP to agree to display non-intrusive ads.

Finally, in the Privacy settings window, you can choose to turn off cookies and tracking (which are, by default, allowed). It also provides controls for remembering passwords (off by default), and clearing private data manually. There is also an option to clear the cache upon a manual exit using the Quit option. However, I didn’t see a Quit option in the Android app, and I didn’t see this cache setting in the iOS app.

It is worth noting a few differences between the iOS and Android versions of Adblock Browser. The iOS version lets you choose between DuckDuckGo (the default) and Google as its search engine. You can choose from a much larger list of search engines in the Android version. URL suggestions are turned off by default, but can be turned on. The Android version has a large number of display options, including enabling zoom on pages that normally do not allow zooming on mobile devices. The Android version also has an option to save a web page as a PDF file (Settings -> Page -> Save as PDF).

adblockbrowser_4_privacy

The recently released free Adblock Browser for iOS and Android makes it easy for non-technical people to reduce the number of mobile web ads they see and protect themselves from known malware sites. It is one more tool that makes it easier for anyone to have an arguably improved mobile web experience.

If you missed part one in this series, check out: Ad blocking for the masses, part one: uBlock Origin. Finally, stay tuned for part three, where we will take a closer look at Apple’s Content Blocking Safari Extensions that will be made available in the iOS 9 update released September 16.

Ad blocking for the masses, part two: Adblock Browser

In part two of this series on the state of ad blockers, I take a look at a new product from a well-known company whose earlier product has been available for nearly a decade: Adblock Plus (ABP). Adblock Plus develops extensions for web browsers which can block tracking, malware sites, and, of course, ads.

Last week, ABP went beyond releasing extensions and launched a standalone Adblock Browser for Android and iOS that has built-in blocking capabilities. Before we take a look at the browser itself, it is worth noting ABP’s interesting (and some call it controversial) business model. ABP signs contracts with companies that agree to its acceptable ads guidelines. Ads from these companies are allowed to pass through the ABP ad filter.

In a 2014 interview, ABP lead investor Tim Schumacher said that only the largest companies pay for these contracts. “Adblock Plus has been experimenting with different models,” he said. “I can’t talk about specific contracts, but in some cases it was performance-based and in other cases it was more of a flat fee. More that 90% of companies don’t pay at all.”

adblockbrowser_ad_noad

The first thing you should know about the free Adblock Browser is that, unsurprisingly, it works better on recent devices with faster processors. For example, it ran slowly on an iPad 2 with a 32-bit processor in my tests. So, slow, in fact, that there is not much speed advantage to using Safari with ads displayed. However, on a iPhone 6+ with a faster 64-bit processor, Adblock Browser rendered the mostly ad-less web pages fast enough to be interesting and useful. On the Android side, I tested it using a Nexus 4 and Nexus 6.

adblockbrowser_2_moreblocking

Here’s the use case that makes Adblock Browser interesting and useful for me: I generally use Google’s own Chrome browser on Android devices and read web pages with ads. However, I often find interesting news items in my Google Now feed. And, some of the sources are either unfamiliar to me with possibly heavy handed ads or are from interesting sources with known heavy ads. So, I have links from Google Now handled by Adblock Browser.

A single ad blocking filter is selected by default: ABP’s own EasyList. ABP describes it as: “The EasyList subscriptions are lists of filters designed for Adblock Plus that automatically remove unwanted content from the internet, including annoying adverts, bothersome banners and troublesome tracking. The subscriptions are currently maintained by four authors.” You can use the Ad Blocking setting option to choose filters for other languages.

The “More blocking options” page lets you select options such as disabling tracking. Surprisingly, the option to disable malware domains is turned off by default.

adblockbrowser_3_nonintrusive

The “Acceptable Ads” option is turned on by default. As I noted earlier, this allows ads to be displayed from companies who sign a paid or free contract with ABP to agree to display non-intrusive ads.

Finally, in the Privacy settings window, you can choose to turn off cookies and tracking (which are, by default, allowed). It also provides controls for remembering passwords (off by default), and clearing private data manually. There is also an option to clear the cache upon a manual exit using the Quit option. However, I didn’t see a Quit option in the Android app, and I didn’t see this cache setting in the iOS app.

It is worth noting a few differences between the iOS and Android versions of Adblock Browser. The iOS version lets you choose between DuckDuckGo (the default) and Google as its search engine. You can choose from a much larger list of search engines in the Android version. URL suggestions are turned off by default, but can be turned on. The Android version has a large number of display options, including enabling zoom on pages that normally do not allow zooming on mobile devices. The Android version also has an option to save a web page as a PDF file (Settings -> Page -> Save as PDF).

adblockbrowser_4_privacy

The recently released free Adblock Browser for iOS and Android makes it easy for non-technical people to reduce the number of mobile web ads they see and protect themselves from known malware sites. It is one more tool that makes it easier for anyone to have an arguably improved mobile web experience.

If you missed part one in this series, check out: Ad blocking for the masses, part one: uBlock Origin. Finally, stay tuned for part three, where we will take a closer look at Apple’s Content Blocking Safari Extensions that will be made available in the iOS 9 update released September 16.

Ad blocking for the masses, part two: Adblock Browser

In part two of this series on the state of ad blockers, I take a look at a new product from a well-known company whose earlier product has been available for nearly a decade: Adblock Plus (ABP). Adblock Plus develops extensions for web browsers which can block tracking, malware sites, and, of course, ads.

Last week, ABP went beyond releasing extensions and launched a standalone Adblock Browser for Android and iOS that has built-in blocking capabilities. Before we take a look at the browser itself, it is worth noting ABP’s interesting (and some call it controversial) business model. ABP signs contracts with companies that agree to its acceptable ads guidelines. Ads from these companies are allowed to pass through the ABP ad filter.

In a 2014 interview, ABP lead investor Tim Schumacher said that only the largest companies pay for these contracts. “Adblock Plus has been experimenting with different models,” he said. “I can’t talk about specific contracts, but in some cases it was performance-based and in other cases it was more of a flat fee. More that 90% of companies don’t pay at all.”

adblockbrowser_ad_noad

The first thing you should know about the free Adblock Browser is that, unsurprisingly, it works better on recent devices with faster processors. For example, it ran slowly on an iPad 2 with a 32-bit processor in my tests. So, slow, in fact, that there is not much speed advantage to using Safari with ads displayed. However, on a iPhone 6+ with a faster 64-bit processor, Adblock Browser rendered the mostly ad-less web pages fast enough to be interesting and useful. On the Android side, I tested it using a Nexus 4 and Nexus 6.

adblockbrowser_2_moreblocking

Here’s the use case that makes Adblock Browser interesting and useful for me: I generally use Google’s own Chrome browser on Android devices and read web pages with ads. However, I often find interesting news items in my Google Now feed. And, some of the sources are either unfamiliar to me with possibly heavy handed ads or are from interesting sources with known heavy ads. So, I have links from Google Now handled by Adblock Browser.

A single ad blocking filter is selected by default: ABP’s own EasyList. ABP describes it as: “The EasyList subscriptions are lists of filters designed for Adblock Plus that automatically remove unwanted content from the internet, including annoying adverts, bothersome banners and troublesome tracking. The subscriptions are currently maintained by four authors.” You can use the Ad Blocking setting option to choose filters for other languages.

The “More blocking options” page lets you select options such as disabling tracking. Surprisingly, the option to disable malware domains is turned off by default.

adblockbrowser_3_nonintrusive

The “Acceptable Ads” option is turned on by default. As I noted earlier, this allows ads to be displayed from companies who sign a paid or free contract with ABP to agree to display non-intrusive ads.

Finally, in the Privacy settings window, you can choose to turn off cookies and tracking (which are, by default, allowed). It also provides controls for remembering passwords (off by default), and clearing private data manually. There is also an option to clear the cache upon a manual exit using the Quit option. However, I didn’t see a Quit option in the Android app, and I didn’t see this cache setting in the iOS app.

It is worth noting a few differences between the iOS and Android versions of Adblock Browser. The iOS version lets you choose between DuckDuckGo (the default) and Google as its search engine. You can choose from a much larger list of search engines in the Android version. URL suggestions are turned off by default, but can be turned on. The Android version has a large number of display options, including enabling zoom on pages that normally do not allow zooming on mobile devices. The Android version also has an option to save a web page as a PDF file (Settings -> Page -> Save as PDF).

adblockbrowser_4_privacy

The recently released free Adblock Browser for iOS and Android makes it easy for non-technical people to reduce the number of mobile web ads they see and protect themselves from known malware sites. It is one more tool that makes it easier for anyone to have an arguably improved mobile web experience.

If you missed part one in this series, check out: Ad blocking for the masses, part one: uBlock Origin. Finally, stay tuned for part three, where we will take a closer look at Apple’s Content Blocking Safari Extensions that will be made available in the iOS 9 update released September 16.