19-Year-Old WinRAR Vulnerability Leads To Over 100 Malware Exploits (slashgear.com)

← Back to Stories (view on slashdot.org)

19-Year-Old WinRAR Vulnerability Leads To Over 100 Malware Exploits (slashgear.com)

Posted by EditorDavid on Saturday March 16, 2019 @11:34AM from the Clinton-administration dept.

"Last month it was discovered that WinRAR, software used to open .zip archive files, has been vulnerable for the last 19 years to a bug that's easily exploited by hackers and malware distributors," writes SlashGear. Slashdot reader Iwastheone quotes their report: Check Point, the security researchers that revealed the WinRAR bug, explain that the software is exploited by giving malicious files a RAR extension, so that when opened they can automatically extract malware programs. These programs are installed in a PC's startup folder, allowing them to start running anytime the computer is turned on, all without the user's knowledge.

Once the bug was disclosed, however, hacker groups really began using it to their advantage, with various nations becoming the target of state-backed cyber-espionage campaigns attempting to collect intelligence. The latest comes from McAfee, the software security firm, which notes that it has identified over 100 unique exploits that use the WinRAR bug, most of them targeting the U.S.
WinRar 5.70, released in late January, patches the behavior, but "it must be manually downloaded and installed from the website, leaving most users unaware of the critical update," the article warns.

It also estimates that during the last 19 years WinRar has been downloaded over 500 million times.

40 of 144 comments (clear)

Min score:

Reason:

Sort:

Meh by cheesybagel · 2019-03-16 11:41 · Score: 3, Insightful

I use 7-zip. Haven't installed WinRAR in like a decade.
1. Re:Meh by hcs_$reboot · 2019-03-16 13:10 · Score: 1
  
  Tried to install it on my system: got an "invalid or corrupted package" error.
  
  --
  Slashdot, fix the reply notifications... You won't get away with it...
2. Re:Meh by antdude · 2019-03-16 19:09 · Score: 2
  
  I wished 7-zip would let me extract multiple highlighted files into their own (directorie/folder)s like WinRAR which is why I still use it. :(
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
3. Re:Meh by Anonymous Coward · 2019-03-17 03:39 · Score: 1
  
  You can do it by selecting the option "Extract to /*", works like WinRAR
This isn't hard... by bill_mcgonigle · 2019-03-16 11:44 · Score: 4, Informative

WinRAR was shipping a proprietary free-as-in-beer DLL to uncompress ACE archive format files.
WinRAR uses 'magic' to detect file types so malware authors are naming archives '.rar' to get it to WinRAR which then passes it into the vulnerable DLL where it uses a path traversal exploit to install malware.
Since nobody uses ACE format files anyway the WinRAR authors dropped support and removed the DLL.
Users need to update and Windows doesn't make that easy like linux distros do.
Maybe it's just me but I find the vague and nebulous "popular" articles to be confusing and hard to read.

--
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
1. Re:This isn't hard... by phantomfive · 2019-03-16 11:58 · Score: 1
  
  Maybe it's just me but I find the vague and nebulous "popular" articles to be confusing and hard to read.
  Maybe because the reporters don't understand what they are writing about.
  
  --
  "First they came for the slanderers and i said nothing."
2. Re:This isn't hard... by Shikaku · 2019-03-16 12:13 · Score: 1
  
  He means the package mangers of any Linux distro updates everything for him. Any program on Windows except the OS doesn't update unless the program does it by itself.
3. Re:This isn't hard... by Daltorak · 2019-03-16 12:58 · Score: 1
  
  Users need to update and Windows doesn't make that easy like linux distros do.
  This isn't actually true with Windows 10. It does have a built-in package manager that is capable of installing & updating packages from Chocolatey, GitLab repositories, etc..... and it has the Microsoft Store, which has an auto-update mechanism and is perfectly capable of supporting classic Win32 programs like WinRAR, including the command-line version. (Yes, console apps in the MS Store is a thing nowadays.)
  Problem is.... nobody really seems to know any of this. This is mostly Microsoft's fault since they rarely talk about anything other than superficial improvements in Windows 10.... and because telemetry & update policies have kept a ton of people on Windows 7 (despite the upgrade being free) so software developers haven't been especially motivated to take full advantage of Windows 10 features and deployment techniques.
  A Store App version of WinRAR would actually be mostly invulnerable to these attack vectors because the app containers which they run in aren't allowed to write to the "Startup" folder in the user's profile. Anything other than Documents, Downloads, Desktop, etc. requires explicit access, controllable via the Privacy settings page. On top of all that, the authors want to charge $29 for WinRAR.... wouldn't publishing to the store be a useful way of getting some more people to pay?
4. Re:This isn't hard... by hairyfeet · 2019-03-16 13:10 · Score: 2
  
  Or they can just delete the unACE.DLL from their WinRAR folder and it will work just fine, it will simply throw an error if you try to open an ACE file which nobody has used in ages so who cares about the error.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
5. Re:This isn't hard... by LesFerg · 2019-03-16 13:40 · Score: 1
  
  How popular is Chocolatey? Are there other similar tools for Windows? It would be cool to have a well supported package manager similar to the popular Linux ones. And no, not the Windows App store. Please.
  
  --
  If I had a DeLorean... I would probably only drive it from time to time.
Comment removed by account_deleted · 2019-03-16 12:10 · Score: 1

Comment removed based on user account deletion
Glad they fixed it, won't touch 7zip. by AbRASiON · 2019-03-16 12:21 · Score: 2

Had multiple archives which were reporting as corrupt / damaged in 7zip and opened fine in WinRAR, near a decade ago.
Had I followed the advice of 7zip I could have discarded perfectly good data.
I reported the bug YEARS ago, supplied files too, nope no interest from the developers.
I spoke with someone yesterday with someone who said the same thing is STILL going on.
Nope, I don't have faith in 7zip, working with the data reliably is the #1 thing for me. I'll stick with a patched WinRAR thanks.
1. Re:Glad they fixed it, won't touch 7zip. by Anonymous Coward · 2019-03-16 13:37 · Score: 1
  
  I too have had files that did not open in 7zip.
  Every last one was a corrupt zip file. 7zip does not react well to corrupt files. I usually unzip the thing and then rezip it with something else and continue to use 7zip.
2. Re:Glad they fixed it, won't touch 7zip. by Jahta · 2019-03-17 01:49 · Score: 2
  
  Had multiple archives which were reporting as corrupt / damaged in 7zip and opened fine in WinRAR, near a decade ago.
  I've used 7-Zip for years. Never had a problem, with RAR files (single or multi-part) or any other archive type. YMMV
3. Re:Glad they fixed it, won't touch 7zip. by tlhIngan · 2019-03-18 06:01 · Score: 1
  
  I've used 7-Zip for years. Never had a problem, with RAR files (single or multi-part) or any other archive type. YMMV
  The big reason is RAR introduced a new revision just a few years ago, called RAR5. It changed a lot of things and if your RAR decompressor didn't know how to handle RAR5, it would report the file as corrupt.
  The solution as always is to update - 7zip doesn't have native RAR support, so you needed to update the unrar DLL or exe and all would be fine.
  Even RAR users were caught - update WinRAR and everything would work again.
Re: Caused by closed source... by Anonymous Coward · 2019-03-16 12:26 · Score: 1

That's a heckuva lot of downloads.
"It also estimates that during the last 19 years WinRar has been downloaded over 500 million times."
And dozens of people have bought it.
Wasn't it obvious? by mabu · 2019-03-16 12:46 · Score: 1

...that there were some bugs in WinRAR when all of a sudden everybody starts getting .RAR file attachments from random people?
Why use an obscure compression program otherwise?
Re: Ooook by Lenny369 · 2019-03-16 13:00 · Score: 1

1. It's faster, or at least was much faster until win10 2. It had capability that the native windows did not for a long time, which was the ability to open an archive and run an exe without extracting the entire archive, and winrar would automatically extract any dependencies on demand as they were called for. That has its uses when you dont want to extract a 700mb zip file just to run one or 2 programs within. At least that was my rationale, prior to win10 which has the same capability.
Re:Caused by closed source... by LesFerg · 2019-03-16 13:33 · Score: 1

Isn't it that old fashioned shareware/nagware that asks for payment?

--
If I had a DeLorean... I would probably only drive it from time to time.
Re:Ooook by LesFerg · 2019-03-16 13:36 · Score: 1

Personally the Windows zip management doesn't impress me at all, I much prefer 7zip. Also use 7zip for the rare use of rar files, which I don't encounter often any more.

--
If I had a DeLorean... I would probably only drive it from time to time.
RAR by rossdee · 2019-03-16 13:37 · Score: 1

Who uses .RAR archives these days?
1. Re:RAR by PinkyGigglebrain · 2019-03-16 14:10 · Score: 2
  
  Who uses .RAR archives these days?
  Sadly many more than you would think, I encounter them more often than zipped archives in several different fields I deal with. And my efforts to get the authors.developers to change to an application that uses a more open standard have not been very successful. The frequent response I get is "I don't want to learn a new program" or "it works so why should I change?".
2. Re:RAR by SuricouRaven · 2019-03-16 18:18 · Score: 2, Informative
  
  They are very common indeed in the world of piracy. There was a time when RAR was the world leader in typical compression ratio, and pirates desperately needed the best compression around. Even though 7z is now superior in just about every way, RAR has become entrenched, and very hard to displace.
3. Re:RAR by guacamole · 2019-03-16 21:05 · Score: 1
  
  It seems like the preferred format for warez and porn distribution through file hosts.
4. Re:RAR by thegarbz · 2019-03-16 22:41 · Score: 1
  
  Everyone. Is that the answer you were looking for? No seriously with multi-part compressed files RAR or self extracting RARs are still incredibly popular. The real question is who uses .ACE archives these days since that is what the article is actually about.
5. Re:RAR by Anonymous Coward · 2019-03-17 01:44 · Score: 1
  
  In the emulation/ROM scene, RAR is heavily used because of the frequent changes to ROM archives due to all the constant redumps, fixes and other improvements that keep being contributed by the community.
  7-Zip is great if you're making an archive of content that will never change, but the 7-Zip format is a "solid" compression format, meaning that adding, changing and removing files requires you to decompress and recompress the *entire archive*.
  RAR doesn't compress as heavily as 7-Zip, but it's a hell of a lot faster if you need to recompress thousands of archives in a batch operation. You can get done in hours what 7-Zip would take all day to do.
  Many of us have moved back to ZIP (particularly TorrentZip for MAME ROMs) due to its more universally-accepted status and since the format has seen some improvements since the '90s.
Re:Caused by closed source... by Anonymous Coward · 2019-03-16 13:42 · Score: 1

Well 7-Zip is open source and it's not affected.
On another note, I don't understand why anyone would use WinRAR. 7-Zip is superior in every way.
Not a surprise by johnslater · 2019-03-16 15:04 · Score: 1

Maybe just me, but all the contexts I ever saw WinRAR in convinced me that it was always sketchy AF. In any case I don't think I've seen it in 10 years.
Re:Sad part's the original code = lost... apk by Iwastheone · 2019-03-16 15:23 · Score: 1

The real sad part of this is that the submitter, iwastheone, is creimer!
I can assure you I am not this Creimer persona. I used to use my old account "sternishefan' here on /., I've made this known before. Whatever this creimer controversy is all about, I do not care nor do I pay attention to any related comments about it. I come here for the knowledge I've learned from /. over the years.
Re:Ooook by Z00L00K · 2019-03-16 17:09 · Score: 1

The Windows zip support is a bit like having just neutered animals on a farm and expect them to procreate.
Anyway - this posted on Slashdot was actually pretty informative anyway since I have now updated my Winrar installation.

--
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Re:did anyone else read that as a 19 year old by Scarletdown · 2019-03-16 17:53 · Score: 1

Nope. You are most likely the only one.

--
This space unintentionally left blank.
Re:Caused by closed source... by Carewolf · 2019-03-16 20:35 · Score: 1

If WinRAR were open source, this would never have happened!
In this case the problem was libace being closed source (-ish), at least they used an old unmaintained binary of libace, instead of dropping it or using a maintained open source version.
He drank it by Impy+the+Impiuos+Imp · 2019-03-16 23:56 · Score: 1

"It's ok. Just download it and unzip it and don't run it if it's .exe!"
His friend moused to the DL button. The other guy made a face like Richie's little brother waiting to see if Kirk would drink the tranya.

--
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Re:Finally.. by Impy+the+Impiuos+Imp · 2019-03-17 00:14 · Score: 1

Pwned, yes. But don't worry, the only people who know the web sites and pages you visit are are the advertising giants of Google, Amazon, facebook. And Microsoft monitors you even if you use Chrome, and wants you eventually subscribe to Windows as a cloud thing so it can monitor you directly, and every government on the planet, shrimp salad, shrimp and potatoes, shrimp burger, shrimp sandwich. That's about it.

--
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Blacklist the file and be done with it? by bunklung · 2019-03-17 00:35 · Score: 1

Why doesn't the security side of the house just blacklist the file and the world is saved? It's as simple as deleting the file. I know WinRar would love people to upgrade their software for a FEE, but the easiest solution for all is for the powers that be (Microsoft, Symantec, McAfee, etc), to quarantine the file, "UNACEV2.DLL".
MD5 Checksum: 7FE66F3BD9CBB998D56EF60D511FF06F
SHA-1 Checksum: DFD7AF26DD22DFDE03B78E835AAAA1569737A6C3
SHA-256 Checksum: 219FF84A756E7912C84EC7BE3BEE5E29FB91909AAEF8856C3DDA2C4F7723AAE7
"To users who are not interested in an upgrade or who don't find a localized version of WinRAR 5.70 yet, win.rar GmbH’s advice is to delete the UNACEV2.DLL file from their current WinRAR version to be reliably protected again. All users of WinRAR 5.10 or any newer version can find the UNACEV2.DLL file in the WinRAR program folder. WinRAR users of versions older than 5.10, can find the UNACEV2.DLL file in the Formats subfolder of the WinRAR program."
1. Re:Blacklist the file and be done with it? by AC-x · 2019-03-17 04:06 · Score: 1
  
  Next week on /.: "M$ Spyware Windows 10 has the ability to delete .dll files from your PC without your consent!" ;)
Nothing new by Brostenen · 2019-03-17 01:53 · Score: 1

I catually thought that this was something that had been discovered earlier. I clearly remember that even in unrar.exe in Dos. Back around 1992/93'ish, I had infections as well... So getting a virus from opening a zip/rar/arj/zoo on MS-Dos-6.22 or earlier, was something we were used to.
Re: Caused by closed source... by DontBeAMoran · 2019-03-17 03:15 · Score: 1

https://otland.net/threads/goo... (SFW)

--
#DeleteFacebook
Re: Caused by closed source... by Tough+Love · 2019-03-17 15:57 · Score: 1

The problem is rar.

--
When all you have is a hammer, every problem starts to look like a thumb.
Re: Caused by closed source... by parkinglot777 · 2019-03-18 01:22 · Score: 1

You said as if WinRAR has no choice of their library. Hmm... Who made the decision to use the library then? Not WinRAR? Then they can't find an alternative after knowing the bug? Yeah right.