Windows users are facing a significant threat as cybersecurity experts have uncovered a critical remote code execution vulnerability within WinRAR, a widely used file compression tool with an estimated 500 million users globally. This vulnerability impacts all versions released over the past 19 years, highlighting the extensive scope of the threat.
The issue stems from a legacy third-party library known as UNACEV2.DLL, which has been identified as mishandling files archived in the ACE compression format. Notably, because WinRAR determines file types by analyzing content rather than relying solely on file extensions, attackers can easily disguise malicious ACE files as RAR files by simply changing their extensions. This makes the detection and prevention of such exploits particularly challenging for users.
Researchers from Check Point have pinpointed an “Absolute Path Traversal” flaw within this library. This vulnerability can be exploited to execute arbitrary code on a target machine attempting to decompress a specially crafted archive file. By leveraging this flaw, attackers can redirect the extraction of compressed files to unintended directories, such as the Windows Startup folder. Consequently, this could allow malicious software to run automatically upon system reboot without the user’s knowledge.
The process is alarmingly simple. In demonstrations by the researchers, they illustrate that an attacker only needs to convince a user to open a maliciously crafted archive file, thereby gaining full control over the compromised system. Such exploitation could lead to severe consequences, particularly for businesses that may overlook this significant vulnerability.
The WinRAR development team, recognizing the severity of the flaw, discontinued the UNACEV2.DLL library following a loss of its source code in 2005. To mitigate the risk, they have released a new version, WinRAR 5.70 beta 1, which no longer supports the ACE format, effectively safeguarding users from this particular exploit.
Given the potential impacts of this vulnerability, Windows users are strongly advised to update to the latest version of WinRAR immediately and to refrain from opening files from unverified sources. In terms of adversary tactics that could be associated with this attack, the MITRE ATT&CK framework identifies techniques such as Initial Access, through the deception needed to have users open compromised files, and Persistence, through placing malicious software into the Windows Startup directory.
As this situation develops, business owners should remain vigilant and proactive in securing their systems against such vulnerabilities to avert potential breaches and ensure the integrity of their operations.