Just about everybody who’s owned a computer in the last few decades has used WinRAR, the ultra-popular file compression and extraction software. More than 500 million users worldwide use WinRAR for archival. Almost none of those people have paid the $29 it costs to use the software after its trial period has ended. Because I hate nag screens and don’t like pirating software, I switched to free alternatives years ago, but if you’re still running any version of WinRAR, it’s best to update it immediately to the latest version, WinRAR version 5.70 beta 1.
There appears to be a remote execution vulnerability in WinRAR that’s existed for the last 19 years. According to the researchers at Check Point Security, an attacker could easily gain full control over a computer, just by extracting a dodgy archive.
It’s all because of a third-party library called UNACEV2.DLL that’s used to extract files compressed using the ACE compression format. It has no security checks, and allows for code to be executed on extraction. Because WinRAR itself checks files and not extensions, a dodgy ACE filed could be renamed to a RAR one, and tampered with to have no user interaction via message boxes. It invokes a Path Traversal vulnerability, allowing the exploit to extract files to an arbitrary path – including the Windows Startup one.
Here’s a proof-of-concept demonstration
in response, WinRAR has dropped support for ACE files in the latest version of the software, to protect its users from potential risk. You can grab WinRAR 5.70 beta 1 here.
Last Updated: February 21, 2019
Magoo
February 21, 2019 at 08:33
More like LoseRAR am I right?!
Magoo
February 21, 2019 at 08:42
There are only two things in the world that last forever. A momma’s love and WinRAR trial version.
Admiral Chief
February 21, 2019 at 09:22
HAH, my WinZip lasted longer than my momma’s love boooooom
[hides manly tears]
Magoo
February 21, 2019 at 09:43
Doesn’t change the fact that her love lasts forever. Just, not for you. 🙁
G8crasha
February 22, 2019 at 11:24
7-Zip for me.
Delano
February 21, 2019 at 08:22
7zip is vastly superior to WinRAR. Doesn’t have this exploit, is free, smaller, and the .7z format has better compression than .rar. Banish this to the vaporware gulag!
HvR
February 21, 2019 at 08:53
Other huge benefit it can decompress almost every other compression format, especially handy for linux tarballs
Geoffrey Tim
February 21, 2019 at 08:22
Yep. I’ve been using 7Zip for forever now.
Dutch Matrix
February 21, 2019 at 08:53
Windows extraction tool.
HvR
February 21, 2019 at 08:53
Do you also play Fallout 76?
Dutch Matrix
February 21, 2019 at 08:53
No. But I don’t see the need to download software when what I need is already there.
HvR
February 21, 2019 at 09:13
Horrible interface and lack of support for a lot of compression formats
Dutch Matrix
February 21, 2019 at 10:18
In my work I only ever encounter zip files. At home I compress nothing! NOTHING!
Captain JJ
February 21, 2019 at 10:18
Yea. Also been using 7zip
WhiteRock
February 21, 2019 at 08:33
7Zip FTW!