WinRAR’s 19-year-old security vulnerability, that allowed attackers to extract malicious software anywhere on the user’s hard drive, has finally been patched in the latest beta release (v5.70 beta 1) of the popular file archiver utility for Windows platforms (via The Verge).
According to the WinRAR, over 500 million users worldwide make its software the world’s most popular compression tool today. The security flaw was discovered by researchers at Check Point Software Technologies, who have also created a short video (embedded below) detailing how it works.
Apparently, the attackers simply needed to rename an ACE file to give it a RAR extension and then get WinRAR to extract a malicious program to a computer’s startup folder:
“After the security researchers informed WinRAR of their findings, the team patched the vulnerability with version 5.70 beta 1 of the software. Rather than attempt to fix the issue, the team opted to drop support for ACE archives entirely, which was probably the sensible option considering the only program capable of creating the archives, WinACE, hasn’t been updated since 2007.”
If you use WinRAR on your computer, we strongly advise you to update it right away.