Code-execution error in WinRAR was 14 years of risk to users

WinRAR, a file compression program for Windows with 500 million users worldwide, has solved a vulnerability of over 14 years old. The vulnerability made it possible for attackers to run rogue code when a target opened a file with a booby trap, reports Ars Technica.

The vulnerability was the result of an absolute path traversal flaw in UNACEV2.DLL. This is a third party code library that has not been updated since 2005. The error made it possible for archive files to extract a folder of their choice from the creator of that archive, instead of the folder chosen by the user of the program.

Researchers at Check Point Software, who found the vulnerability, found a way to execute malicious code. They created an exploit that placed the code of their choice in the Windows startup, where it would be executed if Windows was rebooted.

This could not be done by adding an executable file to the Windows startup folder. To do so, WinRAR had to have more privileges or levels of integrity than it gets by default. That’s why the researchers made a proof-of-concept that incorrectly represents the startup folder.

Vulnerability poem

WinRAR said at the end of last month that the vulnerability has been closed. “UNACEV2.DLL had not been updated since 2005 and we don’t have access to its source code,” says company employees. “We have therefore decided to stop support for ACE archive format, in order to protect the security of WinRAR users.”

The vulnerability existed for the entire 14 years in WinRAR, since the library was made. The vulnerability may even have existed before, according to researchers at Check Point. They also compared their proof-of-concept with zero-day attacks that Zerodium says he would pay 100,000 dollars for. Whether that is a good comparison is not clear.