WinRAR users, without a patch, are vulnerable to CVE-2023-40477, a serious software flaw. The bug allows attackers to execute code on the victim’s machine after the latter opens a file.
The vulnerability appears to be a result of an incomplete validation step during recovery volume processing. This allows an archive file to write past its allocated system memory, allowing attackers to place malware on an unsuspecting user’s PC. This only requires deception, as is true of a fraudulent PDF or other files. If a user can be convinced of opening the file, the attack can take place.
WinRAR offers solution, but not everyone patches
A security researcher with the alias “goodbyeselene” found the vulnerability during Trend Micro’s Zero Day Initiative on June 8, after which WinRAR was notified.
WinRAR version 6.23 fixes this bug, but The Register correctly notes that by no means everyone regularly updates the tool. Still, the application is incredibly common worldwide, with more than half a billion users. In short: it is really important to provide it with a patch now to prevent damage.
Those who choose to do so can also count on a number of other improvements. For example, it is now possible to extract XZ archives that use an ARM64 filter. Some other bugs have also been fixed, although not nearly as serious as the above.
Also read: After three decades, Windows finally supports rar, gz and tar files