19-year-old vulnerability in WinRAR finally fixed
February 22, 2019 / Rene Millman
Security researchers have discovered a bug in the WinRAR file compression application that can allow hackers to execute code remotely. The flaw has existed in all versions of the software for the last 19 years. According to a blog post by researchers at Check Point Software, the exploit works by just extracting an archive, and puts over 500 million users at risk. “We found a logical bug using the WinAFL fuzzer and exploited it in WinRAR to gain full control over a victim’s computer,” said Nadav Grossman of Check Point Software. “The exploit works by just extracting an archive and puts over 500 million users at risk. This vulnerability has existed for over 19 years(!) and forced WinRAR to completely drop support for the vulnerable format.” The flaw exists in the UNACEV2.DLL library included with all WinRAR versions. This library is used for parsing ACE (a data compression archive file format) archives.