Cybersecurity researchers at Check Point have disclosed technical details of a critical vulnerability in WinRAR—a popular Windows file compression application with 500 million users worldwide—that affects all versions of the software released in last 19 years.
The flaw resides in the way an old third-party library, called UNACEV2.DLL, used by the software handled the extraction of files compressed in ACE data compression archive file format.
However, since WinRAR detects the format by the content of the file and not by the extension, attackers can merely change the .ace extension to .rar extension to make it look normal.
The path traversal flaw allows attackers to extract compressed files to a folder of their choice rather than the folder chosen by the user, leaving an opportunity to drop malicious code into Windows Startup folder where it would automatically run on the next reboot.
As shown in the video demonstration shared by researchers, to take full control over the targeted computers, all an attacker needs to do is convincing users into just opening maliciously crafted compressed archive file using WinRAR.
Since the WinRAR team had lost source code of the UNACEV2.dll library in 2005, it decided to drop UNACEV2.dll from their package to fix the issue and released WINRar version 5.70 beta 1 that doesn't support the ACE format.
Windows users are advised to install the latest version of WinRAR as soon as possible and avoid opening files received from unknown sources.