It turns out that the RAR specification allows for the support of a virtual machine called “RarVM”. This allows you to actually embed custom filters into your RARs using a simple instruction set. Though WinRAR’s implementation of RarVM is considered to be buggy (read: “insecure”.. see Known Bugs), it seems as if the unpopularity of this feature is relatively limited to WinRAR (and any other proprietary implementations) and not necessarily the specification itself.
It’s a cool feature, in principle.
- Fun with Constrained Programming
In the light of recent information about RarVM, can we still trust RAR files?