WinRAR security bug may have put more than 500 million users at risk for over a decade

Polycount

TS Evangelist
Staff member

WinRAR is easily one of the most downloaded pieces of software in history. If you ask Windows users on almost any corner of the internet if they've heard of the file compression utility, the answer will most likely be a resounding yes.

Unfortunately for all of those users, the software has contained a serious security bug for the better part of 19 years. The bug theoretically allows tech-savvy attackers to "execute malicious code" when a "booby-trapped" file is opened.

According to Check Point researchers, this bug is the result of a flaw that was nestled deep within WinRAR's UNACEV2.dll code library, which hasn't been actively used since 2005.

Put simply, the flaw allowed security researchers to drop a malicious file directly into Windows' startup folder while bypassing the need to run WinRAR with elevated privileges.

This means that, upon the next reboot, the file was able to run automatically, giving the researchers in question "full control" over a test victim's computer.

According to the researchers, this flaw could have put over 500 million users at risk over the years. Check Point says WinRAR decided to end support for the ACE archive format -- which paved the way for the flaw -- entirely last month, while simultaneously dropping the UNACEV2.dll file from the software.

So, in short, this issue is fixed, but only if you're running the latest test version of WinRAR: 5.70 beta 1.

It's important to note that simply visiting WinRAR's website and clicking the download button is not sufficient to resolve this issue; doing so will give you version 5.61. Instead, you'll need to visit this link to download the appropriate version.

Not sure if you're running the correct version? Simply boot up WinRAR, open the "Help" drop-down menu in the top right corner, and then select "About WinRAR" - the version information should be present there.

Image courtesy Check Point

Permalink to story.

 

amghwk

TS Guru
Come on, if you're talking about old software, everything made decades ago surely will have flaws by today's standards... with current tools people can exploit any software released 20 years ago....
 

J spot

TS Maniac
Come on, if you're talking about old software, everything made decades ago surely will have flaws by today's standards... with current tools people can exploit any software released 20 years ago....
Well, it's not because it's old though. But rather because virtually all software has flaws that can be exploited in them, if one tries hard enough to find them. And I assume that the more complicated/bigger the code (modern software) the more possibility.
 

SpatulaCity

TS Rookie
I don't use WinRar anymore, because the king is already dead, and we have a new one - 7Zip
Yeah, I've ceased using winrar, probably around the turn of the decade and now use 7zip. Before winrar, I used WinZip in the late 90s. Before WinZip, I used a command line program called pkunzip in the dos/Windows 3.1 days.
 
  • Like
Reactions: Indigo5

Darth Shiv

TS Evangelist
So it only affected .ace files? I don't think I've seen or downloaded an ace file in 20 years.
I'm not sure if the .ace file needs to have the .ace extension though. You may be able to rename a .ace file to .zip and have the same issue.

Easy to try with other formats if you can't create an .ace file. Just create a .zip, rename to .rar and then try open it.
 

Capaill

TS Evangelist
I'm not sure if the .ace file needs to have the .ace extension though. You may be able to rename a .ace file to .zip and have the same issue.

Easy to try with other formats if you can't create an .ace file. Just create a .zip, rename to .rar and then try open it.
Or, I'm guessing, make it a self-extracting file and people will just assume it's a self-extracting zip file.
 

misor

TS Evangelist
It's important to note that simply visiting WinRAR's website and clicking the download button is not sufficient to resolve this issue; doing so will give you version 5.61.
not really true. if you visit the download site, you have the option of downloading stable localized builds or download the latest beta build.
 

jobeard

TS Ambassador
Dot ACE files have the same compression as RAR, ZIP but add the Self-Extracting feature. That means instead of just import/export, code gets execute and that's the vector being exploited.
 
  • Like
Reactions: Darth Shiv

Indigo5

TS Member
Yeah, I've ceased using winrar, probably around the turn of the decade and now use 7zip. Before winrar, I used WinZip in the late 90s. Before WinZip, I used a command line program called pkunzip in the dos/Windows 3.1 days.
pkunzip...Now that's the program I haven't heard in a while. Brings back all the memories of the time of DOS/Windows 3.1.
 

jonny888

TS Booster
Unless I'm mistaken the link it explicitly tells you to click is incorrect? It takes you to the 5.61 version. The other link seems to correctly offer the beta version.
 

beachboui

TS Rookie
"Simply boot up WinRAR, open the "Help" drop-down menu in the top right corner, and then select "About WinRAR" - the version information should be present there."

Or, just stop using WinRAR altogether and use one of the various other file compression apps, like the uber popular 7Zip.
 
  • Like
Reactions: Indigo5 and J spot

Polycount

TS Evangelist
Staff member
Unless I'm mistaken the link it explicitly tells you to click is incorrect? It takes you to the 5.61 version. The other link seems to correctly offer the beta version.
Apologies. I believe one of our editors switched the download link to a stable one here on TechSpot, which is the incorrect version. I'm updating the article with the correct link.

It's now 5.70 Beta 2, but it should include the same fix.
 
  • Like
Reactions: Charles Olson

Mike89

TS Booster
I'm not worried about it. I'll wait for official version. It will be here quick. For those who say the king is dead, the king is not dead, long live the king. Will continue to use Elvis forever, much better interface than the so called king killer 7zip. 7zip is "uber" cause it's free and people who are cheap skates are "uber". I will continue to eat banana-peanut butter-bacon sandwiches and use Winrar while listening to Don't Be Cruel. Winrar rules!
 

bluetooth fairy

TS Booster
This might be the last nail in the coffin lid of WinRAR for Windows. Why? Here are the points:
(1) Since the flaw has been uncovered, it may become in use. You can't be sure in every file you decompress (not even run) on your PC. So you need to remove old WinRAR app.
(2) You need to decide very quickly, should you continue to trust in WinRAR, which is nagware, or look for some alternative. And here you meet well-known 7-zip, which is free of charge and open source.
 

amghwk

TS Guru
After the advent of 7zip, I don't think there's a reason to use a paid dearchiving/archiving tool. (Other than for nostalgic or familiarity reasons maybe.)

7zip does everything and supports more formats than any other dearchiver, and it's simple and free.