0

I'm wondering if popular closed-source archiving software like WinRAR or WinZIP are tested regularly by other developers to check if they add some kind of intentional backdoor or unintentional weakness to the archives they create.

Does anyone have insight into this?

schroeder
  • 123,438
  • 55
  • 284
  • 319
oqdn
  • 1
  • 2
  • There are opensource versions of the algorithms used in each, but you would have to decompile the binary to check and see how they are making use of them. I am sure some security firm somewhere spends cycles on this ... but the results are most likely not published. – CaffeineAddiction Jul 27 '22 at 04:27
  • 1
    Could be related: https://security.stackexchange.com/a/4450/238799 – Artem S. Tashkinov Jul 27 '22 at 11:14
  • @A.Hersean I don't think this is a "closed vs open" source question. It appears to be a "a closed source binary creates a file: how can I know it was created as advertised and doesn't hold surprises?" – schroeder Jul 29 '22 at 10:36
  • 1
    @A.Hersean Nope. They are comparing the security of open and closed source software. My question is about the encrypted archives created by the latter. – oqdn Jul 29 '22 at 12:39
  • @oqdn Thanks for your answer. I retracted my close vote. – A. Hersean Jul 29 '22 at 16:12

1 Answers1

3

WinRAR and WinZip have been on the market for over 25 years - suggesting they contain backdoors is the same as believing in crazy conspiracy theories. No one can stop you, as to whether it makes any sense? Unlikely, except it'll make your life miserable.

If you're scared of running them, you have options including SandBoxie+ or installing them in a virtual machine.

Since WinRAR and WinZip are Windows applications and Windows in itself is closed source, are you OK running it? Literally gigabytes of code.

As for weaknesses? Lots of closed source applications are fuzzy-tested by lots of people. Both applications have tens of millions of installations, so they are quite enticing as an attack vector.

They are closed source, true, does that automatically mean that e.g. Open Source Windows archivers fair better? Doesn't seem to be the case.

The fact that something is open source guarantees neither security, nor the absence of backdoors. It only makes hiding them more difficult. The Linux kernel, the most famous and one of the most important open source software packages, gets fixes for tens of security vulnerabilities monthly most of which are corrected silently.

Artem S. Tashkinov
  • 1,389
  • 5
  • 13
  • I'm ok with both programs. I'm only referring to the archives made by them. Is there a way to analyze these archives to see if they have some kind of backdoor/weakness which may allow to bypass the password protection? – oqdn Jul 27 '22 at 11:29
  • ZIP is a standard, WinZIP doesn't use any proprietary features beyond that: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT RAR decompressor is open source: https://www.rarlab.com/rar_add.htm (Unrar source). You can probably weaponize ZIP/RAR archives if the respective programs have vulnerabilities (very unlikely to be intentional) in their source code. You can also theoretically weaponize 7z/xz archives produced by Open Source 7-zip. It's not immune to that by the virtue of being Open Source. – Artem S. Tashkinov Jul 27 '22 at 11:58