500 million WinRAR users open to compromise via a 19-year-old flaw

A vulnerability affecting all versions of WinRAR, the popular file archiver utility for Windows, could be exploited by attackers to deliver malware via specially crafted ACE archives.

About the flaw

The vulnerability was unearthed by Check Point researchers and the effectiveness of a PoC exploit has been demonstrated in this video:

They created a malicious ACE archive disguised as a RAR file that, when decompressed by WinRAR, extracts a malicious executable to one of the system’s Startup Folders, meaning that the malware will be executed every time the system is (re)booted.

The source of the path traversal bug is the third-party UNACEV2.DLL library, which is included in all WinRAR versions and is used for unpacking ACE archives. (For extensive technical details about the bug and Check Point’s discovery process check out their blog post.)

The bug has been fixed

The creators of the WinRAR utility were notified of the vulnerability and have decided to fix it by dropping ACE archive format support altogether.

“UNACEV2.DLL had not been updated since 2005 and we do not have access to its source code,” they explained their reasoning.

The change was made in WinRAR 5.70 Beta 1 and will be included into the next stable release.

Users of the software – over 500 million of them worldwide – are urged to upgrade to one of the fixed versions as soon as possible.

Such a large, vulnerable user base and the publication of the flaw’s details and the PoC exploit are likely to spur hackers to come up with a working exploit very soon.

Zero-day exploits for code execution flaws in WinRAR and other widely used file archivers (7-Zip, tar) can also fetch quite a high price from exploit brokers, who then sell them on to vetted intelligence and law enforcement agencies to be used in targeted attacks.