Home » News » Apps » WinRAR patches security vulnerability after 19 years

WinRAR patches security vulnerability after 19 years

By Vignesh Giridharan | Updated on 22-Feb-2019
WinRAR patches security vulnerability after 19 years
Vignesh Giridharan Vignesh Giridharan
22 Feb 2019 12:36
HIGHLIGHTS

Another case of too little, too late?

Highlights:

  • WinRAR patches a 19-year-old security vulnerability.
  • The vulnerability was discovered by Check Point Software Technologies.
  • The vulnerability can potentially let attackers extract malicious software to any folder in the system.

 

WinRAR, the popular Windows-exclusive file archival tool, has been around for over two decades now. A security vulnerability that’s nearly as old as the application itself was discovered by researchers at Check Point Software Technologies a couple of days ago. The researchers published their findings in a blog post along with a response they got from WinRAR. The vulnerability that allowed attackers to extract malicious software anywhere on the hard drive has been patched.

The pundits at Check Point Software Technologies outline the potential risks of the vulnerability and steps to recreate it in their lengthy blog post. The short version is that the vulnerability basically allowed WinRAR users to extract a malicious program to any folder in the system including Windows’ Startup folder simply by changing the extension of the file from .ACE to .RAR. A malicious program that runs when Windows boots up could potentially cause irreparable damage to the system.

“Aforementioned vulnerability makes possible to create files in arbitrary folders inside or outside of destination folder when unpacking ACE archives”, responded WinRAR on its website. “WinRAR used this third party library to unpack ACE archives. UNACEV2.DLL had not been updated since 2005 and we do not have access to its source code. So we decided to drop ACE archive format support to protect security of WinRAR users. We are thankful to Check Point Software Technologies for reporting  this issue.”

This is not the first time a security vulnerability like this has gone unnoticed and unpatched for long periods of time. A zero-day vulnerability capable of letting an exploit delete system files was discovered in Windows 10 by security researcher SandboxEscaper in October last year. More recently, an Indian security researcher found a Windows vulnerability that allowed hackers to take control of over 400 million Microsoft Store, Outlook, and Sway accounts.

 

Related Read:

New file-deleting Windows zero-day vulnerability unearthed

Indian security researcher finds Microsoft vulnerability affecting 400 million users

Vignesh Giridharan

Vignesh Giridharan

Progressively identifies more with the term ‘legacy device’ as time marches on. View Full Profile

New Mobiles
Apple IPhone 15Redmi 12 5GRealme 11 Pro+ 5GApple IPhone 15 PlusNothing Phone 2
Top-10s
Best Mobile Phones under 15,000Best Mobile Phones under 20,000Best Mobile Phones Under 10,000Best Mobile PhonesBest 5G Mobile Phones
Terms of Use Privacy Policy About Us Advertise with us Contact Us SiteMap Current / Past Issue Magazine Subscription
9.9 Group

Digit.in is one of the most trusted and popular technology media portals in India. At Digit it is our goal to help Indian technology users decide what tech products they should buy. We do this by testing thousands of products in our two test labs in Noida and Mumbai, to arrive at indepth and unbiased buying advice for millions of Indians.

We are about leadership – the 9.9 kind Building a leading media company out of India. And, grooming new leaders for this promising industry.

logo logo logo logo logo logo
Copyright © 2007-24 9.9 Group Pvt.Ltd.All Rights Reserved.
Digit.in
Logo
Digit.in
Logo