(Credit: Microsoft/Chris Hoffman)
WinRAR has a massive security hole that’s still being actively exploited, and it’s one of many Windows applications that do not auto-update. The developer boasts of more than 500 million WinRAR installations around the world, so it’s likely that hundreds of millions of PCs are vulnerable to malicious ZIP files today.
How is it that, in 2023, the world’s most popular desktop operating system doesn’t provide an easy way to update your installed applications?
Windows Update installs security patches, but that’s it. Many of the applications you download update themselves, but some don’t even bother checking for updates. PC users would be in a much better spot if Microsoft hadn’t wasted so much time with Windows 8 and then Windows 10 after it, trying to build a Store for a type of application few Windows users wanted. It was a lost decade for the Windows Store.
WinRAR Is Under Attack—and Doesn't Update Itself
The flaw in file-archiving program WinRAR means an attacker can execute whatever code they like on your PC if you download and open a specially crafted ZIP archive.
Attackers have been exploiting the bug since early 2023. WinRAR developer RARLAB released an update that fixed the flaw in August, but months later, we’re still talking about the bug because it’s still being exploited by organizations that include government-backed cybercrime groups “from a number of countries," according to Google’s Threat Analysis Group.
Here’s the problem: WinRAR doesn’t automatically update itself. It doesn’t even check for updates and notify users that critical security updates are available. Many people have an old, out-of-date version of WinRAR and will never install this patch. They’ll only get a secure version of WinRAR when they get a new PC and download it again. Hopefully they never open a malicious ZIP file.
(Credit: RARLAB/Microsoft/Chris Hoffman)Why Doesn't WinRAR Update Itself?
So why the lack of auto-updates? I reached out to RARLAB and Eugene Roshall, the developer of WinRAR, told me that Windows provides no way to auto-update desktop apps downloaded from websites. “Every developer needs to reinvent the wheel, taking associated security and other technical issues into account.”
Roshall says that RARLAB has considered implementing update notifications, but corporate system administrators didn’t like the idea and would prefer a centralized approach to software updates rather than notifications popping up on their users’ computers.
He did say that RARLAB may consider adding this feature anyway, and that the company “works closely with companies like Avast, Kaspersky, and other update programs.”
The update situation on the average Windows PC is a mess, really. There’s a good chance you may have separate update services from Adobe, Google, your PC manufacturer, and a ton of other developers on your computer. Even if it works, that’s a pain for each developer and what seems like a lot of unnecessary background processes chewing up CPU and memory resources.
Personally, I’ve always preferred 7-Zip—but it doesn’t have a built-in update checker either!
The Windows 8 Mess That Started the Whole Thing
When I first heard Windows 8 would include an “app store” that PC users could install software from, I was excited.
As someone with experience with desktop Linux, one of my favorite things about it was package managers. On Linux, rather than downloading each application from the developer’s website, you get them from a package manager. When an update is released, your package manager finds and installs the update. It’s managed in a centralized way, and one application checks for and installs all the application updates.
The Windows Store, first announced at Microsoft Build 2011, could have delivered that kind of experience with Windows 8. But Microsoft decided the new Store was only for new “Metro apps” most PC users didn’t want. (It did allow developers to put up listings for traditional desktop apps and direct PC users to the web, however.)
Worse than that, the Windows 8 Store was a complete mess packed with scams at one point. You would search for something like “VLC” and find a bunch of low-quality results trying to get you to pay for an application that showed where to download VLC. I was far from the first person to highlight this problem, but I channeled the frustration of Windows users everywhere when in 2014 I highlighted the scams. Eventually, Microsoft reacted to widespread public pressure and pledged to clean up its Store in 2015.
(Credit: Microsoft)Microsoft Wasted Time With Windows 10
Windows 10 fixed a lot of problems with Windows 8, but it was still a victim of Microsoft’s confused app strategy.
Even when Windows 10 was released, the store only allowed “Universal Windows Platform” applications. That never made a ton of sense. By then, Windows Phone was gone—so the universal platform was desktop PCs, Xbox, and HoloLens?
In both Windows 8 and Windows 10, PC users were trained to ignore the Store.
Windows 11 Is Too Little Too Late
The good news is that Windows 11 reversed things. Yes, nine years after the release of Windows 8, Microsoft finally decided that traditional Windows desktop applications should be allowed in the app store on its desktop PC operating system.
Now, developers can put traditional Windows desktop apps in the Windows Store, where PC users can install traditional Windows desktop apps. The Store could update those applications in a centralized way. But we’ve all been trained to ignore it.
Worse yet, I was just poking around the app store on an up-to-date Windows 11 PC and noticed that apps like VLC on the Store say they are “Provided and updated by” their developers. So you can install an app from the Store, but there’s a good chance that app still installs its own updates.
It’s a shame. It would be great to set up a new PC and have it automatically install all your apps. I'd also love a single place to update apps, just like you could on desktop Linux decades ago.
(Credit: Microsoft/Chris Hoffman)Power Uses Do Have Other Options
If you’re a power user, you can turn to software updater utilities or package managers like winget and Chocolatey. But the average Windows PC user is still downloading programs from websites and installing them.
Maybe the Store isn’t the best way to solve these issues on the Windows desktop. But if Microsoft had taken the Store seriously and tried to make it usable for the average PC user and the applications they actually use over the last decade, we’d be a lot closer to a solution.
At least Windows 11 just got built-in support for RAR, 7Z, and other archive formats, so we can uninstall applications like WinRAR and 7-Zip rather than worrying about updating them. That’s progress, I suppose.