WinRAR is a commonly used software for creating and extracting archives on Windows and other supported OS. The main reason for the popularity of the software is that it is capable of supporting different types of packing formats. Thus, the software has over 500 million users. However, the software was found to be corrupted by a bug which was named ‘WinRAR Bug’.

1. When Was WinRAR Bug Discovered?

The bug was discovered in early 2019; however, the bug itself was 19-years old at the time of discovery. The bug was discovered by security research run by ‘Check Point Research’.

2. What Is WinRAR Bug?

It is a code execution vulnerability (CVE 2018-20250). The code was used to extract the ACE archive format (which is now rarely used). The library that is responsible for the vulnerability is UNACEV2.DLL. The library had not been updated since 2005. Also, it was a third-party library so, WinRAR did not have access to the source code. This made it troublesome to amend the vulnerability.

3. What Does It Do?

  • The vulnerability can be exploited by pushing specially prepared archives to the user system.
  • The hackers can manipulate WinRAR by renaming an ACE file with a ‘rar’ extension.
  • The vulnerability now enables hackers to extract files to any folder instead of the default or user-selected folder.
    Hackers extract malware loaded files to the Windows start-up folder.
  • The malware is executed at the next start of the system.

4. What Are The Examples Of Cyber Attack Campaigns Launched To Exploit WinRAR Bug?

  • The vulnerability was exploited by hackers to launch more than 100 targetted attacks. Some of the examples are:
    One such attack uses a bootlegged copy of Ariana Grande’s hit album ‘Thank you, Next’ with a file name ‘Ariana_Grande-thank_u,_next(2019)_[320].rar’ which contains a hidden malware code. Whenever a compromised version of WinRAR is used to extract the files, a list of harmless MP3 files is downloaded to the user’s selected folder, while the malware payload is extracted in the Windows Startup folder in the background without the user’s knowledge. When the user starts his system next time, the payload is run to launch the malware code.
  • Apart from general attacks, the hackers also used this vulnerability to target government agencies by embedding technical documents, law documents and other such archives with malicious code.

5. How To Get Rid Of The Bug?

WinRAR has launched a new version ‘5.70 beta 1’ with patched vulnerability. Since WinRAR did not have access to the source code of the culprit directory, the team has completely deleted this directory from the new version. Thus, ACE format support has been dropped from WinRAR in order to protect the users.

Also, all the WinRAR versions that were launched prior to ‘5.70 beta 1’ are prone to the vulnerability and WinRAR does not have an auto-update feature. So, it is advised to manually download the new version to avoid being a victim of exploits based on WinRAR bug.

For more information on computer and network security for businesses, call Centex Technologies at (254) 213 – 4740.