High Alert! Security Flaws in WinRAR could take hold of your PC

A significant security vulnerability has been uncovered in the WinRAR tool, which could allow a threat actor to achieve remote code execution on Windows systems.

Identified as CVE-2023-40477 (CVSS score: 7.8), the flaw stems from improper validation while handling recovery volumes.

“The problem arises due to inadequate validation of data the user provides, leading to unauthorized memory access beyond the allocated buffer limits,” according to the Zero Day Initiative (ZDI).

How could it lead to Zero Day Attack?

Exploiting this vulnerability enables an attacker to run code within the current process context.

To successfully exploit the issue, the user must interact with it, either by accessing a malicious web page or opening a manipulated archive file.

The credit for discovering and reporting the flaw on June 8, 2023, goes to a security researcher using the pseudonym goodbyeselene. WinRAR 6.23, released on August 2, 2023, effectively resolves the problem.

What has been done to resolve the issue?

On August 2nd, 2023, RARLAB released WinRAR version 6.23, resolving the security issue CVE-2023-40477. It’s highly recommended that WinRAR users install this available security update quickly.

Aside from fixing the processing code for RAR4 recovery volumes, version 6.23 also addresses another significant problem related to specially crafted archives. This issue, which could cause files to initialize incorrectly, is also classified as high severity.

Will we have a permanent solution?

Microsoft is currently testing built-in support for RAR, 7-Zip, and GZ file formats on Windows 11. Third-party software like WinRAR might become unnecessary in this version unless it specifically needs its advanced features.

“In a recent blog post, Windows chief Panos Panay announced the incorporation of built-in compatibility for various archive formats such as tar, 7-zip, rar, gz, and more, utilizing the open-source project libarchive,” stated Panay.

He highlighted, “This enhancement offers users enhanced performance for compressing archives on Windows.”

Sharla Soennichsen, a manager at Microsoft, shared that the future roadmap includes enabling the capability to create files in these formats as well, expected to roll out in 2024.

What’s our take?

Updating the software regularly is crucial for those who still rely on WinRAR. In the past, hackers have taken advantage of similar vulnerabilities to sneak malware into systems.

🚨 SCAM ALERT 🚨
I received a opportunity via e-mail and the brand asked me to download a Win.rar file and extract it to access the contract. I extracted innocently on my computer and nothing was inside! The next morning, I got my google/YouTube acc hacked! Pls be careful! pic.twitter.com/4aNVB2H4Mu

— Valentina Vasconcelos | UGC creator 🩷 (@valentinaugcc) August 13, 2023

This situation also serves as a valuable opportunity to remind your organizations to take precautions against this vulnerability. We should be cautious about the files we open and execute, maintain an updated operating system and other software, utilize a firewall to block malicious online activity, and use effective antivirus programs.