Last week a vulnerability was found in the popular file archiever WinRAR. The vulnerability affects roughly 500 million users and affects all versions of WinRAR from the last 19 years. The vulnerability allowed hackers to drop a file of their choice into a directory of their choice. For example drop malware into the start-up folder without the users knowledge.
The vulnerability lies in an old third-party library called UNACEV2.dll which handles the extraction of files compressed with ACE. To patch the flaw WinRAR removed UNACEV2.dll as they had lost the source code in 2005 and in the new version of WinRAR this vulnerability is now fixed.
A day after Check Point Software Technologies showcased the vulnerbility to the public, a Proof of Concept python script was uploaded to Github that could let anybody create these exploited archives. Also, security researches at 360 Threat Intelligence Center (360TIC) detected a wild malspam email campaign of which was found to be distributing malicious RAR archive files that exploits the UNACEV2.dll exploit, dropping malware into victims start folders.
The best way to protect yourself from this vulnerability is to update your WinRAR client to the latest version (currently WinRAR 5.70), which removes all support for the ACE Format. Always make sure you know what you’re opening and do not open files from people you do not know or trust. This exploit is very silent and can easily infect target machines very quickly.