If you use WinRAR, you need to update RIGHT NOW!

Discussions of applications and operating systems and any problems, tips or suggestions. Win XP, 9x/2k, Linux, NT, photo editing, Virus/Spyware help
Post Reply
User avatar
FlyingPenguin
Flightless Bird
Posts: 32773
Joined: Wed Nov 22, 2000 11:13 am
Location: Central Florida
Contact:

If you use WinRAR, you need to update RIGHT NOW!

Post by FlyingPenguin »

Real bad exploit that's currently being used in the wild. Due to an old module in WinRAR for de-archiving .ACE files, a maliciously crafted .rar (actually it can be ANY archive file type) will totally own you. Exploits in the wild now in use will install a root kit or hit you with ransomware.

This exploit allows a total bypass of user permissions, so this is one of those rare cases where even being a limited user won't protect you.

There's two components to this exploit. One is in WinRAR (every version except latest) and one is a flaw in a Windows system file (now confirmed to affect all flavors of Windows not just Win7).

Microsoft has patched their exploit last patch Tuesday, but even without that the WinRAR exploit by itself is pretty bad, so make sure you also update WinRAR.

Sadly, WinRAR does not have any built-in update mechanism, so it's up to you to go get the latest version (5.70) from their website: https://www.rarlab.com/download.htm

If you're using a Warez version, get rid of it, and do without or pay for it. This is really bad.

https://www.pcmag.com/news/366852/hacke ... read-malwa
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "

Image
User avatar
Executioner
Life Member
Posts: 10133
Joined: Wed Nov 22, 2000 11:34 am
Location: Woodland, CA USA

Re: If you use WinRAR, you need to update RIGHT NOW!

Post by Executioner »

Thanks. Here is the info in the update file:

Nadav Grossman from Check Point Software Technologies informed us
about a security vulnerability in UNACEV2.DLL library.
Aforementioned vulnerability makes possible to create files
in arbitrary folders inside or outside of destination folder
when unpacking ACE archives.

WinRAR used this third party library to unpack ACE archives.
UNACEV2.DLL had not been updated since 2005 and we do not have access
to its source code. So we decided to drop ACE archive format support
to protect security of WinRAR users.

We are thankful to Check Point Software Technologies for reporting
this issue.

I bought WinRAR years ago, but you're right. It does not notify you for any updates.
User avatar
Losbot
Almighty Member
Posts: 4991
Joined: Sun Jul 13, 2014 8:59 am
Location: South Florida

Re: If you use WinRAR, you need to update RIGHT NOW!

Post by Losbot »

I've been using 7zip for some time now. Very lightweight.
User avatar
psypher
Golden Member
Posts: 884
Joined: Sun Nov 02, 2014 1:05 pm
Location: Marietta

Re: If you use WinRAR, you need to update RIGHT NOW!

Post by psypher »

Losbot wrote:I've been using 7zip for some time now. Very lightweight.
Same. I have a license for WinRAR, but I haven't really used it in years.
User avatar
Losbot
Almighty Member
Posts: 4991
Joined: Sun Jul 13, 2014 8:59 am
Location: South Florida

Re: If you use WinRAR, you need to update RIGHT NOW!

Post by Losbot »

Same. I just find 7zip to be free and super lightweight. Plus it an un-rar files so that's fine for me.
User avatar
Executioner
Life Member
Posts: 10133
Joined: Wed Nov 22, 2000 11:34 am
Location: Woodland, CA USA

Re: If you use WinRAR, you need to update RIGHT NOW!

Post by Executioner »

The issue was only related to the old ACE archive format, which I haven't seen in a very long time. I highly doubt that I even have an ACE archives stored.
User avatar
FlyingPenguin
Flightless Bird
Posts: 32773
Joined: Wed Nov 22, 2000 11:13 am
Location: Central Florida
Contact:

Re: If you use WinRAR, you need to update RIGHT NOW!

Post by FlyingPenguin »

No. Steve Gibson explained it in detail last week. It IS related to the ACE decrypter. However, WinRAR has the ability to know how to open an archive by ignoring the extension. It reads the metadata to figure out what the archive actually is.

That means (and this is what they're doing in the wild) you can create a compromised .ACE file, and then rename it .RAR or .ZIP (since no one uses ACE anymore). WinRAR will recognize it as an .ACE file irregardless of the extension, and open it with the ACE decrypter and the malware will do it's thing. That's why this is so bad.
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "

Image
User avatar
Losbot
Almighty Member
Posts: 4991
Joined: Sun Jul 13, 2014 8:59 am
Location: South Florida

Re: If you use WinRAR, you need to update RIGHT NOW!

Post by Losbot »

You do realize that "irregardless" is a made up, redundant word, yes? ;)
(couldn't resist)
User avatar
Executioner
Life Member
Posts: 10133
Joined: Wed Nov 22, 2000 11:34 am
Location: Woodland, CA USA

Re: If you use WinRAR, you need to update RIGHT NOW!

Post by Executioner »

FlyingPenguin wrote:No. Steve Gibson explained it in detail last week. It IS related to the ACE decrypter. However, WinRAR has the ability to know how to open an archive by ignoring the extension. It reads the metadata to figure out what the archive actually is.

That means (and this is what they're doing in the wild) you can create a compromised .ACE file, and then rename it .RAR or .ZIP (since no one uses ACE anymore). WinRAR will recognize it as an .ACE file irregardless of the extension, and open it with the ACE decrypter and the malware will do it's thing. That's why this is so bad.
Oh shit that is bad. Thanks for the explanation.
User avatar
FlyingPenguin
Flightless Bird
Posts: 32773
Joined: Wed Nov 22, 2000 11:13 am
Location: Central Florida
Contact:

Re: If you use WinRAR, you need to update RIGHT NOW!

Post by FlyingPenguin »

You do realize that "irregardless" is a made up, redundant word, yes?
You're like my cousin who's an English teacher. That's one of her favorite nit picks. :)
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "

Image
User avatar
Losbot
Almighty Member
Posts: 4991
Joined: Sun Jul 13, 2014 8:59 am
Location: South Florida

Re: If you use WinRAR, you need to update RIGHT NOW!

Post by Losbot »

I couldn't resist since you hear all the Cubans down here use that shit....CONSTANTLY.
User avatar
FlyingPenguin
Flightless Bird
Posts: 32773
Joined: Wed Nov 22, 2000 11:13 am
Location: Central Florida
Contact:

Re: If you use WinRAR, you need to update RIGHT NOW!

Post by FlyingPenguin »

BTW, I haven't used WinRAR in a while, but I'm a licensed owner from way back in version 3. So I downloaded the latest 5.70 x64 version and installed it on my server, and then dropped my license file in the program folder, and it still takes the license.

And yeah, 5.70 doesn't even list .ACE as a file it can work on.
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "

Image
Post Reply