Description
WinRAR 7.10, the latest version of the popular file compression and archiving tool, introduces several new features, including dark mode, larger memory pages for improved performance, and a revamped settings interface. A particularly notable update is the ability to fine-tune the propagation of Windows’ Mark-of-the-Web (MoTW) flags when extracting files. This update enhances user privacy by stripping metadata such as download locations and IP addresses, while still maintaining security features.
Attack Details
Mark-of-the-Web (MoTW) is an alternate data stream named “Zone.Identifier” added to files downloaded from the Internet. It serves as an important security mechanism in Windows, warning users about potentially risky files and allowing Microsoft Office to open documents in Protected View. Cybercriminals often exploit vulnerabilities in MoTW implementations to bypass security measures and execute malicious files without warning.
Threat actors typically attempt to evade MoTW protections using zero-day flaws or by modifying extracted files to remove security warnings. The new WinRAR setting allows users to strip sensitive metadata from the MoTW stream, making it more difficult for forensic analysts to trace a file’s origin. While this change enhances privacy, it may also hinder investigative efforts in tracking malicious files.
Remediation
While WinRAR 7.10’s privacy-focused update is beneficial for users concerned about data exposure, security teams should remain vigilant about the potential implications of metadata stripping. Balancing privacy and security will be crucial in effectively managing extracted files.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: WinRAR 7.10 Enhances Privacy by Stripping Metadata from Mark-of-the-Web
References