1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

WinRAR security bug may have put more than 500 million users at risk for over a decade

By Polycount ยท 21 replies
Feb 20, 2019
Post New Reply
  1. WinRAR is easily one of the most downloaded pieces of software in history. If you ask Windows users on almost any corner of the internet if they've heard of the file compression utility, the answer will most likely be a resounding yes.

    Unfortunately for all of those users, the software has contained a serious security bug for the better part of 19 years. The bug theoretically allows tech-savvy attackers to "execute malicious code" when a "booby-trapped" file is opened.

    According to Check Point researchers, this bug is the result of a flaw that was nestled deep within WinRAR's UNACEV2.dll code library, which hasn't been actively used since 2005.

    Put simply, the flaw allowed security researchers to drop a malicious file directly into Windows' startup folder while bypassing the need to run WinRAR with elevated privileges.

    This means that, upon the next reboot, the file was able to run automatically, giving the researchers in question "full control" over a test victim's computer.

    According to the researchers, this flaw could have put over 500 million users at risk over the years. Check Point says WinRAR decided to end support for the ACE archive format -- which paved the way for the flaw -- entirely last month, while simultaneously dropping the UNACEV2.dll file from the software.

    So, in short, this issue is fixed, but only if you're running the latest test version of WinRAR: 5.70 beta 1.

    It's important to note that simply visiting WinRAR's website and clicking the download button is not sufficient to resolve this issue; doing so will give you version 5.61. Instead, you'll need to visit this link to download the appropriate version.

    Not sure if you're running the correct version? Simply boot up WinRAR, open the "Help" drop-down menu in the top right corner, and then select "About WinRAR" - the version information should be present there.

    Image courtesy Check Point

    Permalink to story.

  2. Thrackerzod

    Thrackerzod TS Booster Posts: 58   +43

    So it only affected .ace files? I don't think I've seen or downloaded an ace file in 20 years.
    Raytrace3D, Plutoisaplanet and trgz like this.
  3. Zorak

    Zorak TS Rookie Posts: 17   +6

    Oh no, we probably died already.
  4. kevbev89

    kevbev89 TS Addict Posts: 151   +136

    ..What even is an .ace file??
  5. amghwk

    amghwk TS Guru Posts: 489   +302

    Come on, if you're talking about old software, everything made decades ago surely will have flaws by today's standards... with current tools people can exploit any software released 20 years ago....
    Capaill and onestepforward like this.
  6. Sergey Novikov

    Sergey Novikov TS Member

    I don't use WinRar anymore, because the king is already dead, and we have a new one - 7Zip
  7. Thrackerzod

    Thrackerzod TS Booster Posts: 58   +43

    A really old compression format that hasn't been used since dinosaurs roamed the Earth.
  8. Coolestchad

    Coolestchad TS Rookie

    Even older than .zip files?
  9. J spot

    J spot TS Maniac Posts: 219   +139

    Well, it's not because it's old though. But rather because virtually all software has flaws that can be exploited in them, if one tries hard enough to find them. And I assume that the more complicated/bigger the code (modern software) the more possibility.
  10. SpatulaCity

    SpatulaCity TS Rookie

    Yeah, I've ceased using winrar, probably around the turn of the decade and now use 7zip. Before winrar, I used WinZip in the late 90s. Before WinZip, I used a command line program called pkunzip in the dos/Windows 3.1 days.
    Indigo5 likes this.
  11. Darth Shiv

    Darth Shiv TS Evangelist Posts: 1,952   +575

    I'm not sure if the .ace file needs to have the .ace extension though. You may be able to rename a .ace file to .zip and have the same issue.

    Easy to try with other formats if you can't create an .ace file. Just create a .zip, rename to .rar and then try open it.
  12. Capaill

    Capaill TS Evangelist Posts: 826   +437

    Or, I'm guessing, make it a self-extracting file and people will just assume it's a self-extracting zip file.
  13. misor

    misor TS Evangelist Posts: 1,393   +296

    not really true. if you visit the download site, you have the option of downloading stable localized builds or download the latest beta build.
  14. jobeard

    jobeard TS Ambassador Posts: 12,742   +1,489

    Dot ACE files have the same compression as RAR, ZIP but add the Self-Extracting feature. That means instead of just import/export, code gets execute and that's the vector being exploited.
    Darth Shiv likes this.
  15. Indigo5

    Indigo5 TS Member

    pkunzip...Now that's the program I haven't heard in a while. Brings back all the memories of the time of DOS/Windows 3.1.
  16. jonny888

    jonny888 TS Booster Posts: 58   +61

    Unless I'm mistaken the link it explicitly tells you to click is incorrect? It takes you to the 5.61 version. The other link seems to correctly offer the beta version.
  17. beachboui

    beachboui TS Rookie

    "Simply boot up WinRAR, open the "Help" drop-down menu in the top right corner, and then select "About WinRAR" - the version information should be present there."

    Or, just stop using WinRAR altogether and use one of the various other file compression apps, like the uber popular 7Zip.
    Indigo5 and J spot like this.
  18. Polycount

    Polycount TS Evangelist Topic Starter Posts: 1,625   +369

    Apologies. I believe one of our editors switched the download link to a stable one here on TechSpot, which is the incorrect version. I'm updating the article with the correct link.

    It's now 5.70 Beta 2, but it should include the same fix.
    Charles Olson likes this.
  19. Mike89

    Mike89 TS Booster Posts: 67   +28

    I'm not worried about it. I'll wait for official version. It will be here quick. For those who say the king is dead, the king is not dead, long live the king. Will continue to use Elvis forever, much better interface than the so called king killer 7zip. 7zip is "uber" cause it's free and people who are cheap skates are "uber". I will continue to eat banana-peanut butter-bacon sandwiches and use Winrar while listening to Don't Be Cruel. Winrar rules!
  20. bluetooth fairy

    bluetooth fairy TS Booster Posts: 70   +52

    This might be the last nail in the coffin lid of WinRAR for Windows. Why? Here are the points:
    (1) Since the flaw has been uncovered, it may become in use. You can't be sure in every file you decompress (not even run) on your PC. So you need to remove old WinRAR app.
    (2) You need to decide very quickly, should you continue to trust in WinRAR, which is nagware, or look for some alternative. And here you meet well-known 7-zip, which is free of charge and open source.
  21. amghwk

    amghwk TS Guru Posts: 489   +302

    After the advent of 7zip, I don't think there's a reason to use a paid dearchiving/archiving tool. (Other than for nostalgic or familiarity reasons maybe.)

    7zip does everything and supports more formats than any other dearchiver, and it's simple and free.
    Darth Shiv and Indigo5 like this.
  22. hk2000

    hk2000 TS Enthusiast Posts: 55   +18

    Never used it! Yes I've heard of it, doesn't mean I used it.

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...