High severity vuln in WinRAR could allow code to run when files are opened
Update now: Millions of users potentially impacted, plus uncounted warez folks
Users of the popular WinRAR compression and archiving tool should update now to avoid a vulnerability that allows code to be run when a user opens a RAR file.
WinRAR is one of the many apps available for compressing and packaging multiple files together for distribution or archiving, and is claimed as the world’s most popular compression tool with over 500 million users worldwide.
Those half a billion users represent a tempting target for any malware creator who might craft an exploit to take advantage of the vulnerability, especially as many users seldom update the app. As such, developer RARLAB has released a new version, WinRAR 6.23, which fixes the bug.
The WinRAR flaw, which has been allocated the CVE record CVE-2023-40477, is said to be due to a lack of full validation of user-supplied data when opening an archive file that could result in a memory access beyond the end of an allocated buffer.
The flaw made it possible for an attacker to construct a RAR file to take advantage of this and use it to execute code in the context of the current process, earning the vulnerability a CVSS severity rating of 7.8 (high).
This issue was discovered by a security researcher identified as “goodbyeselene” working with Trend Micro's Zero Day Initiative (ZDI) on June 8, who reported it to the vendor. The vulnerability was publicly disclosed by ZDI on August 17, but the vendor had already issued an updated version of the application containing a fix by August 2.
That updated version of the application, WinRAR 6.23, also contains fixes for several other flaws, including WinRAR starting on a wrong file if a user double-clicked an item in a specially crafted archive. Other minor changes include the immediate deletion of temporary files created when extracting or testing multiple archives.
- Microsoft finally gets around to supporting rar, gz and tar files in Windows
- Cyber-snoops broke into US military contractor, stole data, hid for months
- Misguided call for a 7-Zip boycott brings attention to FOSS archiving tools
- We regret to inform you there's an RCE vuln in old version of WinRAR. Yes, the file decompression utility
WinRAR is a shareware product, which means anyone can download and use the product for free for up to 40 days before purchasing. Licenses cost $29 for a single computer, but are perpetual, at least for the version of WinRAR you get at the time of purchase.
Microsoft announced back in May that it was adding support for RAR files into Windows, along with support for other archive formats, including tar, 7-zip, gz and others, thanks to the addition of the libarchive open-source library, but presumably only for Windows 11. Redmond has had native support for zip files since the last century, when Windows 98 debuted. ®