back to article Behold… a WinRAR security bug that's older than your child's favorite YouTuber. And yes, you should patch this hole

CheckPoint infosec eggheads are today laying claim to discovering a Windows archiving security flaw that appears to have been lingering since 2005, if not earlier. The programming cockup can be potentially exploited when a user accidentally opens a malicious archive, perhaps one sent by email or downloaded from a website: …

  1. Justin Pasher

    Ahhh memories

    Talk about a blast from the past. Back in the days of BBSes and early file sharing where myriad archive formats fought for your attention: ACE, ARC, ARJ, ZOO. I remember ACE was popular among a *ahem* certain means of sharing software.

    That being said, it's a little harsh to call it a WinRAR bug, since they were just using the library file to support the format. At any rate, removing support just helps put another nail in the coffin of a relatively unknown format that really has no purpose anymore.

    1. Anonymous Coward
      Anonymous Coward

      Re: Ahhh memories

      "it's a little harsh to call it a WinRAR bug"

      It's fair, IMO. A vulnerability in a third-party library that your software includes, is a vulnerability in your software. Period.

      Although the article could stand to mention what other software includes this troublesome DLL besides WinRAR.

    2. Jeffrey Nonken

      Re: Ahhh memories

      Same here. I wrote PolyXarc to assist. And yeah, wow, does that bring back memories.

      Me, I'm one of the people who have paid for WinRAR. I feel I've long since gotten my money's worth. And my license still works on new versions.

  2. Joe W Silver badge
    Linux

    ... because we do not have the source code

    Holding my popcorn, waiting for the inevitable...

    1. JulieM Silver badge

      Re: ... because we do not have the source code

      If I was minister for I.T., that's the first law I would pass, believe me.

    2. Jamie Jones Silver badge
      Happy

      Re: ... because we do not have the source code

      "Holding my popcorn, waiting for the inevitable.."

      -- If the source code to this library had been available, then we wouldn't be in this whole BREXIT mess --

      Ha! You weren't expecting that response!

  3. Rocket_Rabbit
    Joke

    2 people who paid?

    I thought I was the only one!

    1. Zippy´s Sausage Factory
      Joke

      Re: 2 people who paid?

      Just you and me then. We should start the "I Paid For WinRAR" club. This could be the first item in the annual newsletter...

      1. ItsMeDammit

        Re: 2 people who paid?

        Now there are 3 - I registered my copy in 2007 and still use it today (not the same copy, obviously - it's been upgraded once or twice since then).

      2. Byron "Jito463"

        Re: 2 people who paid?

        Must be three then, because I also paid for it.

    2. Anonymous Coward
      Anonymous Coward

      Re: 2 people who paid?

      I DID pay many years ago, but the rozzers trashed all my systems and I lost the license, so now, like many others, I have only the "free" version.

      It was SO long ago, I think I was still using Freeserve as my ISP.

      1. brym

        Re: 2 people who paid?

        Freeserve... Jesus, now there's an unexpected (but good) flashback!

    3. nafmo

      Re: 2 people who paid?

      Of course I didn't pay for WinRAR. It was included in my registration for MS-DOS RAR (or if it was OS/2 RAR, I registered both at the same time).

    4. Gary F
      Thumb Up

      Re: 2 people who paid?

      #MeToo! I happily paid for a licence about 10 years ago because I use WinRAR frequently and it was fairly priced. I think the Register underestimate the honesty of their readers.

  4. Velv
    Terminator

    This means that an attacker who knew the user name of the target (such as in a spear-phishing situation) could get the files to extract into the startup directory

    Or perhaps just leverage %username% environment variable to hit the path.

    1. Roger Lipscombe

      Re: We need a secure caller display system

      "Or perhaps just leverage %username% environment variable to hit the path."

      Only if the ACE DLL also does environment variable substitution. It's not free, and most code doesn't bother.

  5. fnusnu

    I make a point of replacing WinRAR with 7zip when I am the 'home helpdesk'. WinRAR seems to be very popular in the former Soviet Union / Eastern Europe.

    1. Anonymous Coward
      Anonymous Coward

      I still use the non-free unrar, but I'd prefer a full 7z replacement. Those still using WinRar typically use the latest versions, which 7z can error out on until it too updates to the latest non-free.

      1. hellwig

        I mean, if you're on the bleeding edge of compression related technology, sure. However, I think 99% of users can just get by with whatever 7z does support.

        For LTS/archiving purposes, I'm sure there are all sorts of fancy algorithms. For sending a collection of documents to your co-worker, most people will just use .zip.

  6. Nomedias

    Agree its not a "WinRAR" problem

    Not specific to WinRAR, but I guess that gets attention given its past. Other "zip" applications out there include the same UNACEV2.DLL library, for example BandiZip.

  7. Anonymous Coward
    Anonymous Coward

    Trivial to fix: rename UNACEV2.DLL into "dont.UNACEV2.DLL.me" in C:\Program Files\WinRAR (64-bit)

    renaming the UNACEV2.DLL does not seem to impair unpacking of ZIP&RAR archives with WinRAR, but will prevent loading of that DLL and exploitation of bugs within.

  8. Ken Hagan Gold badge

    Any more?

    Are we to presume that this is the only library used by WinRAR for which they don't have the source code?

  9. sisk

    Unrar?? Does anyone still use that?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like