Summary

WinRAR 4.20 is vulnerable to ZIP file name spoofing. Please upgrade to WinRAR 5.00 release or later, which are not vulnerable.

Description

As reported by https://an7isec.blogspot.co.il/2014/03/winrar-file-extension-spoofing-0day.html, it is possible to create a specially crafted ZIP archive, so WinRAR 4.11 and 4.20 will display one archived file name while browsing archive contents, but assign another name to unpacked file. It leads to possible security risks for pre-5.0 WinRAR users.

This vulnerability was discovered by Christian Navarrete in 2009 in WinRAR 3.80, fixed in 3.91, appeared again in 4.11 and finally fixed in WinRAR 5.00.

We investigated this issue and found that all WinRAR 5.x versions beginning from WinRAR 5.00 release are not affected, so we recommend WinRAR 4.x users to upgrade. If you still need to use WinRAR 4.20 for some reason, avoid opening files directly from ZIP archives and carefully check names of unpacked files before opening them.

We noticed a claim that WinRAR 5.10 is vulnerable:
http://intelcrawler.com/news-15
http://intelcrawler.com/report_2603.pdf
copied by some news sites. We asked intelcrawler.com owners to provide a proof of this claim, but did not receive any response. According to our investigation, WinRAR 5.00, 5.01 and 5.10 do not have this issue.

Also both sites listed above mention that "WINRAR adds several properties of its own" to ZIP format, which is not true. Data which they report as WinRAR specific property is a standard ZIP central directory record, mandatory for any valid ZIP archive.

RAR archives and archives of other formats are not affected by this vulnerability.