WinRAR security bug may have put more than 500 million users at risk for over a decade

P

Polycount

Posts: 3,017   +590
Staff

WinRAR is easily one of the most downloaded pieces of software in history. If you ask Windows users on almost any corner of the internet if they've heard of the file compression utility, the answer will most likely be a resounding yes.

Unfortunately for all of those users, the software has contained a serious security bug for the better part of 19 years. The bug theoretically allows tech-savvy attackers to "execute malicious code" when a "booby-trapped" file is opened.

According to Check Point researchers, this bug is the result of a flaw that was nestled deep within WinRAR's UNACEV2.dll code library, which hasn't been actively used since 2005.

Put simply, the flaw allowed security researchers to drop a malicious file directly into Windows' startup folder while bypassing the need to run WinRAR with elevated privileges.

This means that, upon the next reboot, the file was able to run automatically, giving the researchers in question "full control" over a test victim's computer.

According to the researchers, this flaw could have put over 500 million users at risk over the years. Check Point says WinRAR decided to end support for the ACE archive format -- which paved the way for the flaw -- entirely last month, while simultaneously dropping the UNACEV2.dll file from the software.

So, in short, this issue is fixed, but only if you're running the latest test version of WinRAR: 5.70 beta 1.

It's important to note that simply visiting WinRAR's website and clicking the download button is not sufficient to resolve this issue; doing so will give you version 5.61. Instead, you'll need to visit this link to download the appropriate version.

Not sure if you're running the correct version? Simply boot up WinRAR, open the "Help" drop-down menu in the top right corner, and then select "About WinRAR" - the version information should be present there.

Image courtesy Check Point

Permalink to story.

https://www.techspot.com/news/78852-winrar-security-bug-may-have-put-more-than.html

 
Come on, if you're talking about old software, everything made decades ago surely will have flaws by today's standards... with current tools people can exploit any software released 20 years ago....
 
  • Like
Reactions: Capaill and onestepforward
amghwk said:
Come on, if you're talking about old software, everything made decades ago surely will have flaws by today's standards... with current tools people can exploit any software released 20 years ago....
Click to expand...

Well, it's not because it's old though. But rather because virtually all software has flaws that can be exploited in them, if one tries hard enough to find them. And I assume that the more complicated/bigger the code (modern software) the more possibility.
 
Sergey Novikov said:
I don't use WinRar anymore, because the king is already dead, and we have a new one - 7Zip
Click to expand...
Yeah, I've ceased using winrar, probably around the turn of the decade and now use 7zip. Before winrar, I used WinZip in the late 90s. Before WinZip, I used a command line program called pkunzip in the dos/Windows 3.1 days.
 
  • Like
Reactions: Indigo5
Thrackerzod said:
So it only affected .ace files? I don't think I've seen or downloaded an ace file in 20 years.
Click to expand...
I'm not sure if the .ace file needs to have the .ace extension though. You may be able to rename a .ace file to .zip and have the same issue.

Easy to try with other formats if you can't create an .ace file. Just create a .zip, rename to .rar and then try open it.
 
Darth Shiv said:
I'm not sure if the .ace file needs to have the .ace extension though. You may be able to rename a .ace file to .zip and have the same issue.

Easy to try with other formats if you can't create an .ace file. Just create a .zip, rename to .rar and then try open it.
Click to expand...
Or, I'm guessing, make it a self-extracting file and people will just assume it's a self-extracting zip file.
 
It's important to note that simply visiting WinRAR's website and clicking the download button is not sufficient to resolve this issue; doing so will give you version 5.61.
Click to expand...
not really true. if you visit the download site, you have the option of downloading stable localized builds or download the latest beta build.
 
Dot ACE files have the same compression as RAR, ZIP but add the Self-Extracting feature. That means instead of just import/export, code gets execute and that's the vector being exploited.
 
  • Like
Reactions: Darth Shiv
SpatulaCity said:
Yeah, I've ceased using winrar, probably around the turn of the decade and now use 7zip. Before winrar, I used WinZip in the late 90s. Before WinZip, I used a command line program called pkunzip in the dos/Windows 3.1 days.
Click to expand...
pkunzip...Now that's the program I haven't heard in a while. Brings back all the memories of the time of DOS/Windows 3.1.
 
Unless I'm mistaken the link it explicitly tells you to click is incorrect? It takes you to the 5.61 version. The other link seems to correctly offer the beta version.
 
"Simply boot up WinRAR, open the "Help" drop-down menu in the top right corner, and then select "About WinRAR" - the version information should be present there."

Or, just stop using WinRAR altogether and use one of the various other file compression apps, like the uber popular 7Zip.
 
  • Like
Reactions: Indigo5 and J spot
jonny888 said:
Unless I'm mistaken the link it explicitly tells you to click is incorrect? It takes you to the 5.61 version. The other link seems to correctly offer the beta version.
Click to expand...
Apologies. I believe one of our editors switched the download link to a stable one here on TechSpot, which is the incorrect version. I'm updating the article with the correct link.

It's now 5.70 Beta 2, but it should include the same fix.
 
  • Like
Reactions: Charles Olson
I'm not worried about it. I'll wait for official version. It will be here quick. For those who say the king is dead, the king is not dead, long live the king. Will continue to use Elvis forever, much better interface than the so called king killer 7zip. 7zip is "uber" cause it's free and people who are cheap skates are "uber". I will continue to eat banana-peanut butter-bacon sandwiches and use Winrar while listening to Don't Be Cruel. Winrar rules!
 
This might be the last nail in the coffin lid of WinRAR for Windows. Why? Here are the points:
(1) Since the flaw has been uncovered, it may become in use. You can't be sure in every file you decompress (not even run) on your PC. So you need to remove old WinRAR app.
(2) You need to decide very quickly, should you continue to trust in WinRAR, which is nagware, or look for some alternative. And here you meet well-known 7-zip, which is free of charge and open source.
 
After the advent of 7zip, I don't think there's a reason to use a paid dearchiving/archiving tool. (Other than for nostalgic or familiarity reasons maybe.)

7zip does everything and supports more formats than any other dearchiver, and it's simple and free.
 
  • Like
Reactions: Darth Shiv and Indigo5
You must log in or register to reply here.

Similar threads

Shawn Knight
A decade of Interstellar: Epic space odyssey returns to theaters this September
Replies
5
Views
120
NumberNine
NumberNine
A
Mapping the cosmos: 3.2 gigapixel camera to scan southern sky for a decade
Replies
3
Views
150
rwmcclarin
R
Daniel Sims
Fallout TV series season 1 is now streaming, Fallout 4's next-gen upgrade introduces new content on April 25
Replies
14
Views
287
trgz
trgz

Latest posts

Back