In October 2023, Microsoft introduced native support for 11 additional compression formats in Windows 11 through the KB5031455 update.
This enhancement, which includes formats like RAR and 7z, allows users to manage these files directly in File Explorer without third-party tools.
However, the integration relies on the open-source libarchive library, exposing the operating system to significant security vulnerabilities.
Libarchive, widely used across platforms like Linux, macOS, and BSD, is known for its robustness but has revealed critical flaws when integrated into Windows.
Despite continuous fuzz testing by Google’s OSS-Fuzz project, researchers uncovered vulnerabilities that could lead to remote code execution (RCE), arbitrary file writes, and other risks.
Critical Vulnerabilities Identified
Security researchers have highlighted several key vulnerabilities tied to libarchive’s implementation in Windows 11:
- CVE-2024-26185: This flaw allows arbitrary file write and delete operations due to insufficient filename filtering during archive extraction. While exploitation requires specific user actions, such as navigating deeply nested archive structures, it underscores weak safeguards.
- CVE-2024-26256: A severe RCE vulnerability caused by a heap buffer overflow in libarchive’s RAR decompression logic. Attackers could exploit this flaw by tricking users into extracting malicious RAR archives, potentially executing arbitrary code.
- CVE-2024-38165: A bypass of Microsoft’s initial patch for CVE-2024-26185. By exploiting how Windows handles absolute paths during extraction, attackers could manipulate temporary files outside their intended directories.
Additionally, researchers discovered that libarchive could misidentify file formats (e.g., treating a low-compression RAR file as a ZIP), further expanding the attack surface.
The library’s ability to chain multiple filters and formats theoretically enables compatibility with over 91 decillion combinations but also increases security risks.
The “Half-Day” Vulnerability Problem
A major issue lies in the delayed patching process between Microsoft and libarchive’s upstream maintainers.
When Microsoft fixes vulnerabilities in its forked version of libarchive (used in Windows), these patches are not immediately merged into the main libarchive repository.
This delay creates what researchers call a “Half-Day” scenario where vulnerabilities patched in Windows remain unaddressed in other projects using libarchive for months.
For example:
- Two RCE vulnerabilities (CVE-2024-20696 and CVE-2024-20697) were patched in January 2024 for Windows but not merged into libarchive until May 2024.
- During this gap, attackers could exploit unpatched versions of libarchive in other software like ClickHouse.
According to the DevCore Report, the integration of libarchive into Windows 11 has significantly expanded its attack surface.
While the added functionality improves user convenience, it comes at the cost of increased security risks.
The fragmented nature of open-source software development exacerbates these challenges when proprietary systems like Windows rely on such libraries.
To mitigate these risks:
- Users must keep their systems updated with the latest patches.
- Developers should prioritize upstream collaboration to ensure timely fixes propagate across all projects using shared libraries.
- Organizations should monitor emerging vulnerabilities and adopt proactive security measures.
As Windows continues to enhance its features, balancing innovation with robust security practices remains critical to protecting users against evolving threats.
