- ZIP SFX module refuses to process SFX commands stored in archive comment if such comment is resided after beginning of Authenticode digital signature. It is done to prevent possible attacks with inclusion of ZIP archive into the signature body.
We already prohibited extracting contents of such malformed archives in WinRAR 6.01.
We are thankful to FireEye Mandiant team for reporting this issue.
- WinRAR uses https instead of http in the web notifier window, home page and themes links. It also implements additional checks within the web notifier. This is done to prevent a malicious web page from executing existing files on a user's computer. Such attacks are only possible if the intruder has managed to spoof or otherwise control user's DNS records. Other factors are also involved in limiting its practical application, including a security alert prompt asking for a user's confirmation before opening a malicious page.
We would like to express our gratitude to Igor Sak-Sakovskiy for bringing this issue to our attention.
- Where appropriate, SFX archive displays the additional line with detailed error information provided by operating system.
For example, previously such archive would display "Cannot create file" message alone. Now this message is followed by a detailed reason like access denied or file being used by another process.
In the past this extended error information was available in WinRAR, but not in SFX archives.
- Switch -idn hides archived names also in 'v' and 'l' commands. It can be useful if only the archive type or total information is needed.
- If -ibck -ri switches are used together, WinRAR process sets the priority specified in -ri switch. Previous versions ignored -ri and set the priority to low in the presence of -ibck switch.
- When using "File/Change drive" command, WinRAR saves the last folder of previous drive and restores it if that drive is selected again later.
- Name of unpacking file is now included into WinRAR incorrect password warning for RAR5 archives. It can be helpful when unpacking a non-solid archive containing files encrypted with different passwords.
- Bugs fixed:
- "Convert archives" command issued erroneous "The specified password is incorrect" message after succesfully converting RAR archive with encrypted file names if new password was set and archive was opened in WinRAR shell;
- if command progress window was resized up and then quickly resized down to original dimensions, window contents could be positioned incorrectly.