WinRAR has rolled out a new patch after security firm Check Point Software Technologies discovered a 19-year-old flaw in the data compression tool.
The vulnerability allowed hackers to extract a malicious program to their target's hard drive, the researchers explain.
WinRAR Security Flaw
In a blog post, Check Point Software Technologies explained the ins and outs of the uncovered flaw. After finding out that WinRAR still had support for the ACE format, it came to the conclusion that the tool is using a dated dynamic link library or DLL from 2006 that didn't have a protection mechanism.
The company also uploaded a short clip on YouTube that demonstrates how the issue works. Basically, what it shows is that hackers could simply rename an ACE file with a RAR extension and potentially have it extract a malicious program to the startup folder of a computer. That way, the harmful file can run automatically when the computer boots up.
According to WinRAR, it has more than 500 million users. Put differently, 500 million users have been put at risk because of this security vulnerability.
WinRAR's Countermeasure
As reported by The Verge, WinRAR released a new version 5.70 beta 1 after it was informed about the issue by the researchers. Now the patch doesn't exactly fix the problem. Instead, it's just dropping support for ACE. As the news outlet points out, this move makes sense because the only program that can make this archive format is WinACE, a tool that hasn't been updated since 2007.
In the patch notes, WinRAR explains that it has been using a third-party library called UNACEV2.DLL, which hasn't received an update since 2005, to unpack ACE archives, meaning it doesn't have access to its source code.
Needless to say, WinRAR users are advised to download the latest version as soon as possible.