Nasty code-execution bug in WinRAR threatened millions of users for 14 years

Enlarge / Evert (credit: iStock / Getty Images)
WinRAR, a Windows file compression program with 500 million users worldwide, recently fixed a more than 14-year-old vulnerability that made it possible for attackers to execute malicious code when targets opened a booby-trapped file.
The vulnerability was the result of an absolute path traversal flaw that resided in UNACEV2.DLL, a third-party code library that hasn’t been updated since 2005. The traversal made it possible for archive files to extract to a folder of the archive creator’s choosing rather than the folder chosen by the person using the program. Because the third-party library doesn’t make use of exploit mitigations such as address space layout randomization, there was little preventing exploits.
Researchers from Check Point Software, the security firm that discovered the vulnerability, initially had trouble figuring out how to exploit the vulnerability in a way that executed code of their choosing. The most obvious path—to have an executable file extracted to the Windows startup folder where it would run on the next reboot—required WinRAR to run with higher privileges or integrity levels than it gets by default.
Read 4 remaining paragraphs | Comments