1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

"100 unique exploits and counting": Hackers begin exploiting WinRAR critical vulnerability

By onetheycallEric · 11 replies
Mar 16, 2019
Post New Reply
  1. Download shortcut: WinRAR 5.70

    Back in February, cybersecurity firm Check Point disclosed a vulnerability that's existed in WinRAR for some 19 years. The potential attack vector was a result of WinRAR's support for the outdated ACE archive format, whereby those with malicious intent could give an ACE file a .rar extension, and then use it as a booby trap to execute malicious code from a machine's startup folder after a reboot.

    Rarlab issued a patch and statement, but those who are not using the most recent version are still at risk.

    Now, hackers are leveraging the exploit to reach vulnerable systems before users update. McAfee revealed they've identified "over 100 unique exploits and counting." One particular implementation targets Ariana Grande fans looking to bootleg the artist's popular album "Thank U, Next" by using a file named “Ariana_Grande-thank_u,_next(2019)_[320].rar” that is booby trapped with malicious code.

    Other campaigns have been used to spread malware through the WinRAR exploit as well, as 360 Threat Intelligence Center has been documenting via Twitter.




    WinRAR has an estimated 500 million users, most of which probably don't know about this vulnerability and that creates a desirable attack surface. This attack is bound to gain more traction in the future, so please share with your friends and family if you know they have WinRAR installed and grab the most recent version of the software.

    Permalink to story.

     
  2. BSim500

    BSim500 TS Evangelist Posts: 601   +1,206

    Yet for all the lame over-hate, WinRAR still has the best security for non technically competent individuals (Options -> Settings -> Security -> tick "File types to exclude from extracting" = .exe, .com, .bat, etc). If you're the family geek who's the first person everyone calls every time their computer starts to go wonky after they just opened a "pdf" inside a e-mail attachment zip file called "Free money.pdf.exe", then you'll already know that WinRAR is still waiting for 7zip and every other archive manage that lacks this feature to catch up in terms of preventing 99% of real world infections... (7-zip still doesn't even have a security tab, let alone this feature).
     
    AmigaInside likes this.
  3. Evernessince

    Evernessince TS Evangelist Posts: 3,822   +3,218

    Given that most Anti-Virus programs can be set to scan archives if not done so automatically, it's not that uncommon of a thing. I personally see no reason why the compression software should be responsible for preventing viruses, that's the job of the AV. If you really are downloading that many dubious files a quality anti-virus would do you far more good then trying to prevent a single attack vector. And honestly blocking .exe files from being extracted sounds like it could cause other problems as many legitimate programs come in archives. What does the person do if you didn't tell them about the "security" measure you took and /or they don't know how to disable it to install software stored in an archive?

    Heck even windows defender scans in archives and there is an option in the right click menu to scan the selected file. How hard is it to tell people to scan downloaded files before opening? You know the old saying "Give a man a fish, feed him for a day. Teach a man to fish, feed him for a lifetime.". This is basic stuff that takes 3 seconds to show people.
     
    bobc4012 and nismo91 like this.
  4. BSim500

    BSim500 TS Evangelist Posts: 601   +1,206

    Because effective security is all about layers, not just relying on one barrier. If you can prevent people from running .exe's in the first place, that's a lot more effective than hoping they've got anti-virus installed, and real-time scanning enabled, and it's not a new virus otherwise the anti-virus won't catch it. And I didn't say "downloading", I'm talking about spam e-mail attachments that appear in say Outlook / Thunderbird which AV don't always catch (because they've learned to change / add just 1 byte for each different batch which throws the CRC signatures out), for which the user wasn't expecting or initiated at all and for which double-extensions regularly confuse them. Hard blocking all .exe's received via e-mail in zip attachments may block some genuine use cases, but 1. For complete newbies I'd always e-mail them the link to the proper official site than e-mail them zipped .exe's, and 2. Worst case, I'd rather spend 5 minutes talking them through how to disable it in WinRAR than a whole day reinstalling Windows and hoping it wasn't a ransomware thing that encrypted their data just because AV's aren't quite as infallible as people would like to believe.
     
  5. lexster

    lexster TS Booster Posts: 131   +75

    Avoiding this is simple, use 7Zip. Problem solved.
     
    wizardB and nismo91 like this.
  6. fktech

    fktech TS Maniac Posts: 512   +128

    How soon before 5.7 is hacked?
     
  7. fluffydestroyer

    fluffydestroyer TS Enthusiast Posts: 35   +17

    I'm surprised that winrar still aren't using an auto update on their software that way to could avoid this fiasco. All it takes is a bit of an effort in coding and knowledge. But on their defence, they aren't the only lazy developers around. Sorry but I'm not going to be nice when it comes to lazy devs. This is very important in my opinion and if they didn't do the auto update coding first like some software does they could of avoided the situation a day later (or whatever the update triggers)
     
  8. AmigaInside

    AmigaInside TS Rookie

    Technically, this is not a WinRAR vulnerability. As explained, the problem lies in a 3rd-party library: the UnACEv2.dll file. WinRAR itself is just fine and the title "WinRAR critical vulnerability" is quite wrong.

    Could we blame WinRAR for supporting such an old format? Perhaps, but I wouldn't. Note that the offending file is also used by and contained in several other programs (usually old), and not just WinRAR. So search for it whether you use WinRAR or not.
     
  9. bluetooth fairy

    bluetooth fairy TS Booster Posts: 71   +53

    I thought exactly the same way, and seem to agree with both of your points.

    But I was curious to find out, why the heck WinRAR has security options. It appears that WinRAR is not just compression software, it's file and archive manager. For nowdays it may sound a bit odd, but there's Total Commander, for example. TC is more comprehensive manager though.

    For those who don't have or don't want to install an online AV scanner, WinRAR provides command line options to run AV for on the fly check after archive unpacking.

    The 2nd point is about security vs usability topic. For me blocking .exe files from being extracted not only sounds weird, it is abs unusable. This case is uncommon, I guess, but it may have supporters. Some of them, if this feature is unique to WinRAR, could even pay for that.
     
  10. Arbie

    Arbie TS Enthusiast Posts: 28   +21

    What the journos never point out is that you can simply delete UnACEv2.dll.

    Instead the advice is to upgrade to the latest WinRAR, along with moans about how few people will do that - which is true.

    Tell people the most important thing, please. Then go off on how bad the situation is etc etc.
     
  11. erickmendes

    erickmendes TS Evangelist Posts: 562   +246

    7-zip for the way.
     
    lexster likes this.
  12. lexster

    lexster TS Booster Posts: 131   +75

    You mean for the "Win" right? LOL!
     

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...