It’s not often that a software vulnerability goes undetected for as long as 19 years, especially when an incredible 500 million users were exposed.
The issue with WinRAR, a Windows file archiver, was detected by Check Point Software Technologies through fuzz testing and was resolved immediately by WinRAR, who released a patch and ended support for ACE archives.
ACE File with RAR Extension Was the Culprit
The researchers at Check Point found that by using a RAR extension to rename an ACE file, WinRAR could be duped in to extracting malicious software into the startup folder of any computer, which would then run automatically when the machine was switched on.
The ACE format file was the main vehicle through which malicious files could be introduced, acting as a Trojan while relying on an old DLL (dynamic link library) file that hadn’t been updated since 2006.
Unfortunately, there doesn’t appear to be much that users could have done to prevent falling prey to this risk, aside from not downloading WinRAR at all. If malware was successfully hidden within an ACE archive, it was effectively screened from the view of antivirus and antimalware software.
Furthermore, as the issue was a vulnerability to malicious use through Absolute Path Traversal, the bug likely wouldn’t have been obvious to antimalware programs prior to download.
Regardless, if harnessed by the wrong hands, the results could have been devastating. The presence of the compromised file in the startup folder appeared to produce no error messages, and the malicious archive was even capable of displaying the original, uncompromised file in a different location to distract your attention. Consequently, the Trojan file could have effectively taken over the victim’s computer.
WinRAR Responds with a Patch
The Check Point researchers have detailed their work on their blog and uploaded a video on YouTube demonstrating how simple the process of extraction was.
The moment the news of this vulnerability was released by Check Point, WinRAR took instant action by releasing a patch, updated version 5.70 beta 1, and ending support for ACE archives.
Withdrawing support for the ACE format files within its download pack was probably the only viable move for WinRAR. The format isn’t as common now, but at its peak around 2000, before Windows was capable of handling Zip archives by itself, it was a popular tool.
It seems almost unbelievable that a program used by so many people for almost two decades could have contained such a potentially dangerous bug. But the technology age has resulted in many consumers forgetting that simple human error and oversight is as likely as ever to put our personal devices at risk.
While antimalware software would have been unlikely to make a difference in this case, it pays to make sure that you have some kind of up-to-date security system in place.
It’s hard to know whether anyone fell prey to this mechanism of attack during the bug’s 19-year lifespan, thus far, none have been reported. Regardless, now would be a good time to update WinRAR if you’re a regular user of the program, or remove it altogether if you’re not.