Researchers have spotted a serious flaw in file archiving tool WinRAR that could allow hackers to run code on systems.
WinRAR's developer RARLAB has already issued a patch, along with advice to update the software immediately.
Spotted by a researcher working with Trend Micro's Zero Day Initiative, the directory traversal remote code execution (RCE) vulnerability only affected Windows versions of the software.
This is due to how WinRAR manages file paths in archives, researchers said. Unix and Android versions aren’t affected.
"A crafted file path can cause the process to traverse to unintended directories," Trend Micro's Zero Day Initiative (ZDI) said in an advisory. "An attacker can leverage this vulnerability to execute code in the context of the current user."
The vulnerability was reported by ZDI to RARLAB on June 5th, with the two organizations working on a coordinated advisory release two weeks later.
How the WinRAR flaw works
A RARLAB advisory noted that the flaw could be exploited to cause files to be written outside the intended directory.
"This flaw could be exploited to place files in sensitive locations — such as the Windows Startup folder — potentially leading to unintended code execution on the next system login," the developer's advisory noted.
The ZDI advisory added that hackers would need to trick victims into opening a dodgy file or clicking a malicious link in order to take advantage of the flaw.
"This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR," the advisory added.
"User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file."
Update now
RARLAB said anyone using the Windows version of WinRAR should update to newly released version 7.12 to resolve the serious flaw.
"We encourage all users to update their software to the latest version," the advisory noted.
Alongside the file path flaw, the updated version of WinRAR also addressed an HTML injection vulnerability in the "generate report" feature.
"Older versions of WinRAR’s 'Generate Report' feature included archived file names in the generated HTML without sanitization, allowing file names with HTML tags to be injected into the report," the company said.
Beyond the security patches, the latest version also includes improved testing of Recover Volumes to help ensure integrity of backups, and preservation of nanosecond timestamps in Unix file records, alongside other improvements.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Microsoft quietly launched an AI agent that can detect and reverse engineer malwareNews Researchers say the tool is already achieving the “gold standard” in malware classification
-
AWS CEO Matt Garman just said what everyone is thinking about AI replacing software developersNews Junior developers aren’t going anywhere, according to AWS CEO Matt Garman
-
Microsoft quietly launched an AI agent that can detect and reverse engineer malware
News Researchers say the tool is already achieving the “gold standard” in malware classification
-
Employee distraction is now your biggest cybersecurity riskNews Workplace distraction is the top reason organizations fall victim to cyber attacks, according to new research.
-
Apple just released an emergency patch for a zero-day exploited in the wild – here’s why you need to update nowNews Apple is warning millions of users of iPhones, iPads and Macs to update their software to protect against an out-of-bounds write vulnerability
-
Cyber teams are struggling to keep up with a torrent of security alertsNews Fragmented identity security processes are creating blind spots, and the proliferation of tools doesn't help
-
The Allianz Life data breach just took a huge turn for the worseNews Around 1.1 million Allianz Life customers are believed to have been impacted in a recent data breach, making up the vast majority of the insurer's North American customers.
-
US authorities just took down 'one of the most powerful DDoS botnets to ever exist’ with help from AWSNews The Rapper Bot botnet was responsible for a series of large-scale DDoS attacks on government agencies and tech companies. Now it's gone.
-
UK telecoms firm takes systems offline after cyber attackNews The Warlock ransomware group said it was selling a million stolen documents
-
Everything we know about the Workday data breach so farNews HR technology firm Workday has confirmed a data breach after threat actors gained access to a third-party CRM platform.
