19-Year WinRAR Bug Put Millions at Risk, Now It Is Fixed

WinRAR Vulnerability Exists for 19 Years Old

As is well known, WinRAR is a piece of very popular decompression software that can be used to create and extract archives on Windows platform. And part of the reason for its popularity is that it can decompress different types of packing formats including RAR, ZIP, 7z, ACE and more. Besides, another reason is that its trial version never expires.

However, recently researchers at Check Point Research have found a severe security bug in WinRAR. Once the flaw is exploited by hackers, they can insert malicious programs into a PC’s startup folder. Reportedly, the WinRAR security bug has been hidden in WinRAR for 19 years old.

Related article: Ransomware Prevention Policy, Protect Yourself Now!

How WinRAR Bug Works

According to researchers, they have discovered an issue with an old outdated dynamic link library (DLL) file that was compiled in 2006 without a protective mechanism during their investigation. After further analysis, they have found a logical bug named Absolute Path Traversal. This makes attackers easily use this vulnerability to execute remote code.

Using a fuzzer, four security flaws were found, including CVE-2018-20250, CVE-2018-20251, CVE-2018-20252, and CVE-2018-20253. The former three vulnerabilities are related to ACE compression format and the latter one is related to an out-of-bounds write vulnerability.

Researchers have found WinRAR uses a .dll file named unacev2.ll to parse ACE archives. And they are able to develop an exploit for the flaw they have found and the exploit allows them to run arbitrary code on a victim’s PC.

As the WinRAR app detects the file based on the content rather than the formats, researchers can change the .ace extension to .rar extension, which can allow attackers to manipulate WinRAR into extracting a malicious program to the Windows startup files. Once the system gets started, the malicious program could run automatically and hackers could gain access to complete control over the computer.

“We can gain code execution, by extracting a compressed executable file from the ACE archive to one of the Startup Folders. Any files that reside in the Startup folders will be executed at boot time”checkpoint

How to Fix 19-Year WinRAR Bug

What should be done to solve WinRAR vulnerability that has been existing for 19 years old?

In a response to Check Point Research, WinRAR has fixed this flaw with a fresh software update. The bug has been patched in the latest version 5.70 beta 1. Besides, this company has also released the second beta of version 5.70 on Thursday.

Actually, WinRAR used a third-party tool to extract ACE archives but it hadn’t been updated since 2005 and WinRAR cannot get the source code. Due to this, WinRAR decided to give up the support for the ACE archive format completely.

Final Words

Reportedly, it is quite alarming that the WinRAR has been used for almost 20 years and there haven’t been any reports of attackers using this bug over the years although about 500 million users are using WinRAR.

If you are the one who still uses WinRAR, please make sure you install the latest version to ensure you are protected against this WinRAR bug.