Researchers have spotted a serious flaw in file archiving tool WinRAR that could allow hackers to run code on systems.
WinRAR's developer RARLAB has already issued a patch, along with advice to update the software immediately.
Spotted by a researcher working with Trend Micro's Zero Day Initiative, the directory traversal remote code execution (RCE) vulnerability only affected Windows versions of the software.
This is due to how WinRAR manages file paths in archives, researchers said. Unix and Android versions aren’t affected.
"A crafted file path can cause the process to traverse to unintended directories," Trend Micro's Zero Day Initiative (ZDI) said in an advisory. "An attacker can leverage this vulnerability to execute code in the context of the current user."
The vulnerability was reported by ZDI to RARLAB on June 5th, with the two organizations working on a coordinated advisory release two weeks later.
How the WinRAR flaw works
A RARLAB advisory noted that the flaw could be exploited to cause files to be written outside the intended directory.
"This flaw could be exploited to place files in sensitive locations — such as the Windows Startup folder — potentially leading to unintended code execution on the next system login," the developer's advisory noted.
The ZDI advisory added that hackers would need to trick victims into opening a dodgy file or clicking a malicious link in order to take advantage of the flaw.
"This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR," the advisory added.
"User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file."
Update now
RARLAB said anyone using the Windows version of WinRAR should update to newly released version 7.12 to resolve the serious flaw.
"We encourage all users to update their software to the latest version," the advisory noted.
Alongside the file path flaw, the updated version of WinRAR also addressed an HTML injection vulnerability in the "generate report" feature.
"Older versions of WinRAR’s 'Generate Report' feature included archived file names in the generated HTML without sanitization, allowing file names with HTML tags to be injected into the report," the company said.
Beyond the security patches, the latest version also includes improved testing of Recover Volumes to help ensure integrity of backups, and preservation of nanosecond timestamps in Unix file records, alongside other improvements.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Researchers sound alarm over AI hardware vulnerabilities that expose training dataNews Hackers can abuse flaws in AI accelerators to break AI privacy – and a reliable fix could be years away
-
Are AI PCs becoming the norm?ITPro Podcast As manufacturers increasingly embed NPUs in devices, what are the benefits to businesses?
-
A malicious MCP server is silently stealing user emailsNews Koi Security says it's discovered the first malicious MCP server in the wild, exposing a risk to the entire ecosystem
-
NCA confirms arrest after airport cyber disruptionNews Disruption is easing across Europe following the ransomware incident
-
Cyber skills shortages are pushing firms into dangerous shortcuts – and it’s putting them at huge risk of security breachesNews Chronic cyber skills shortages mean many businesses are implementing quick fixes
-
Pentesters are now a CISOs best friend as critical vulnerabilities skyrocketNews Attack surfaces are expanding rapidly, but pentesters are here to save the day
-
Hackers are disguising malware as ChatGPT, Microsoft Office, and Google Drive to dupe workersNews Beware of downloading applications like ChatGPT, Microsoft Office applications, and Google Drive through search engines
-
Generative AI attacks are accelerating at an alarming rateNews Two new reports from Gartner highlight the new AI-related pressures companies face, and the tools they are using to counter them
-
A terrifying Microsoft flaw could’ve allowed hackers to compromise ‘every Entra ID tenant in the world’News The Entra ID vulnerability could have allowed full access to virtually all Azure customer accounts
-
‘Channel their curiosity into something meaningful’: Cyber expert warns an uptick of youth hackers should be a ‘wake-up call’ after teens charged over TfL attackNews Encouraging youths to engage in positive tech initiatives will guide them down the right path and away from nefarious activities
