WinRAR Vulnerability Leaves Millions of Users at Risk

If you’ve been a computer user for any length of time, you’ve run across compressed files.

In the old days, you’d have to download a separate program to be able to deal with these compressed files, at least on Windows. Thankfully, current versions of Windows now come with the ability to handle compressed archives.

There were lots of different utilities that would handle compressed files, and one of the most popular was called WinRAR.

But WinRAR has had a bug that could allow attackers to install almost anything on a users computer without there knowledge.

WinRAR History

WinRAR was one of my first exposures to nagware – well-done software that is free forever, with the small caveat that it will bug you to purchase a license. There was no penalty for not buying a license, though – the program would always work without restriction.

One thing WinRAR didn’t have, though, was an automatic update mechanism. That means if there’s a vulnerability in the program, and a user has not bought a license (and registered their email address with WinRAR), there’s no way to fix exposed users proactively.

It’s estimated that there are over 500 million active users of WinRAR, and I imagine only a small fraction of those have paid for licenses. Which means a significant portion of those 500 million users are vulnerable to this bug.

WinRAR Vulnerability

While I’m not going to get into the technical details (you can find a bit more here), basically the bug is in a software library used by WinRAR that allows an attacker to extract a file to a folder of their choice (like the Windows Startup folder) without user intervention.

This vulnerability can be exploited while still performing a user-requested action, as you can see in this 35-second video:

This means that you should expect to get more malicious spam emails with some a ZIP or compressed file attached. When you extract the data, you may have unknowingly exposed yourself to a wide variety of threats.

The newest version of WinRAR (5.70) has removed the offending software library, and so are no longer vulnerable. If you’re still using WinRAR, it is highly encouraged to update now (for free).

Needless to say, don’t open any emails or files from people you don’t know. And if you’re not expecting a file from a someone you do know, talk to them before you open it!