WinRAR 7.10 was released yesterday with numerous features, such as larger memory pages, a dark mode, and the ability to fine-tune how Windows Mark-of-the-Web flags are propagated when extracting files.
WinRAR is a popular file archiver and compression tool for Windows that allows users to create, extract, and manage compressed files, primarily in RAR, ZIP, and many other file formats. The author claims that the tool is used by 500 million people worldwide.
Yesterday, win.rar GmbH released the final version of WinRAR 7.10, listing numerous new features that increase the performance and usability of the program.
These new features include enabling larger memory pages for increased performance, a reworked settings interface, and a long-awaited dark mode.
Source: BleepingComputer
One new feature that stood out is a new setting that lets you strip information that may be considered a privacy risk from the Mark of The Web alternate data stream.
“‘Zone value only’ option in “Settings/Security” dialog controls if archive Mark of the Web propagation includes only the security zone value or all available fields,” reads the WinRAR 7.10 release notes.
“While additional fields, such as a download location or IP address, might help to identify a file source, they can be a privacy concern if file is shared with other persons.”
For those unfamiliar with the Mark-of-the-Web (MoTW), it is an alternative data stream named “Zone.Identifier” that is added to files downloaded from the Internet, including from websites and email.
This identifier tells Windows and supported applications that the file was downloaded from another computer or the Internet and, therefore, could be risky to open.
When attempting to open a downloaded file, Windows will check if a MoTW exists and, if so, display additional warnings to the user, asking if they are sure they wish to run the file.
Source: BleepingComputer
Microsoft Office will also check for the Mark-of-the-Web, and if found, it will open documents in Protected View, with the file in read-only mode and macros disabled.
To check if a downloaded file has the Mark-of-the-Web, you can right-click it in Windows Explorer and open its properties.
If the file contains a MoTW, you will see a message at the bottom stating, “This file came from another computer and might be blocked to help protection this computer.”
Modern file archives will propagate the MoTW found in archives to extracted files, allowing those files to also be protected with the Windows security feature.
MoTW is a powerful security feature that is commonly targeted by threat actors who attempt to find zero-day flaws that allow their malicious files to bypass Windows’ security warnings.
However, some may consider it a privacy concern, as if the file is shared with another person, the “Zone.Identifier” contains information that could reveal sensitive information about where a file was downloaded from.
This is because the Zone.Identifier flag contains a lot of information about a downloaded file, including the Internet Zone (ZoneID) it was downloaded from, the URL to the file, the URL referring to the file, and in some cases, the IP address of the host it was downloaded from.
Source: BleepingComputer
As part of WinRAR 7.10, a new setting is enabled by default called “Zone value only” that strips all information from MoTW alternate data streams other than the ZoneId when it is propagated to extracted files.
Source: BleepingComputer
This allows the Mark-of-the-Web security feature to continue to work with extracted files, but the alternate data stream can no longer be used to learn where the file was downloaded.
For those who wish to enable complete propagation of MoTW data, you will need to go into the WinRAR settings > Security and uncheck “Zone value only.”
While this new setting may hamper digital forensics, it is a welcome feature for those who want the strictest privacy.