Skip to main content
  1. Home
  2. Computing
  3. News

Potentially malicious WinRAR vulnerability patched after almost 20 years

By

WinRAR is a powerful archival tool that has been available for the past 23 years, allowing users to unpack and create RAR, ZIP, and other archive files. But recently, a collection of security researchers at Check Point Software Technologies have discovered that a vulnerability that could allow malicious individuals to take advantage of users’ machines running the software, implanting startup programs without any needed authorization from the user.

Most users who had used WinRAR around the turn of the century most likely remember the software for its 40-day trial that could easily be bypassed — allowing for continuous use after the initial trial period. WinRAR still exists today, which is why the company quickly patched its software after learning about the vulnerability, adding a fix in version 5.7 beta 1 for an update that is long overdue.

Recommended Videos

The exact details of the dangerous vulnerability came down to a single DLL file — files used by Windows to access libraries of digital information  — that enabled exploiters to use an old component from the defunct ACE archive format. The ACE archive format was last updated in 2007, but WinRAR had decided to continue support for the format until now.

Please enable Javascript to view this content

By merely renaming an ACE archive file extension to RAR, WinRAR can be manipulated to extract a malicious program into the computer’s startup folder. Using the exploit, the archive file would appear to decompress and extract itself as usual, while at the same time, in the background, inserting its contents into system folders. Instead of attempting to fix the particular issue, the team at WinRAR have instead dropped support for ACE archives.

Archiving files has come a long way since the world of ACE, and most users will find both the RAR and ZIP file formats to be much more effective than their older sibling. The software is still available on the web for anyone who may have older ACE files to extract or compress, but current Windows users using WinRAR will need to move forward in time if they wish to stay with their archive software of choice.

The ACE vulnerability existed for almost 20 years, with over 500 million WinRAR users, without being patched; it practically begs the question, if we all paid for the trial — would this have ever happened?

Topics
Michael Archambault
Michael Archambault
Former Digital Trends Contributor
Michael Archambault is a technology writer and digital marketer located in Long Island, New York. For the past decade…
On my son’s behalf, I sought out the smart glasses that ‘give sight to the blind’
A prototype of the Soliddd Vision smart glasses.

Like many 4-year-olds, there's nothing my son loves more than cars. Despite my own complete lack of interest in the topic, he can already identify make and model of cars from across the street with uncanny accuracy, spurred on by his growing collection of Matchbox and Hot Wheels.

But as we've had to explain to him, we still don't know if he'll be ever to drive one himself. The brain tumor that he was born with left him with stunted vision, particularly in one eye, with little hope of improvement.

Read more
The RTX 5060 will be Nvidia’s most important GPU, and I’m worried about it
Two graphics cards sitting on top of each other.

Nvidia just finished revealing its range of new RTX 50-series GPUs, the first of which will arrive in just a couple of weeks. They're some of the best graphics cards ever made, according to Nvidia, and for the flagship RTX 5090 that clocks in at $2,000, I believe the company. Lower down the stack, however, I'm concerned.

For the past couple of years, there's been a growing issue surrounding graphics cards with 8GB of VRAM, which is something we've seen on full display with games like Indiana Jones and the Great Circle. Despite backlash in the previous generation concerning releases like the RTX 4060 Ti, I'm worried that Nvidia will repeat the mistakes of the past when the RTX 5060 inevitably rolls around.
It'll be popular

Read more
ChatGPT just dipped its toes into the world of AI agents
OpenAI's ChatGPT blog post is open on a computer monitor, taken from a high angle.

OpenAI appears to be just throwing spaghetti at this point, hoping it sticks to a profitable idea. The company announced on Tuesday that it is rolling out a new feature called ChatGPT Tasks to subscribers of its paid tier that will allow users to set individual and recurring reminders through the ChatGPT interface.

Tasks does exactly what it sounds like it does: It allows you to ask ChatGPT to do a specific action at some point in the future. That could be assembling a weekly news brief every Friday afternoon, telling you what the weather will be like in New York City tomorrow morning at 9 a.m., or reminding you to renew your passport before January 20. ChatGPT will also send a push notification with relevant details. To use it, you'll need to select "4o with scheduled tasks" from the model picker menu, then tell the AI what you want it to do and when.

Read more