Using WinRAR? Update now to avoid falling victim to this file path flaw
Windows versions of WinRAR need to be updated to avoid a serious flaw that could let hackers run code
Researchers have spotted a serious flaw in file archiving tool WinRAR that could allow hackers to run code on systems.
WinRAR's developer RARLAB has already issued a patch, along with advice to update the software immediately.
Spotted by a researcher working with Trend Micro's Zero Day Initiative, the directory traversal remote code execution (RCE) vulnerability only affected Windows versions of the software.
This is due to how WinRAR manages file paths in archives, researchers said. Unix and Android versions aren’t affected.
"A crafted file path can cause the process to traverse to unintended directories," Trend Micro's Zero Day Initiative (ZDI) said in an advisory. "An attacker can leverage this vulnerability to execute code in the context of the current user."
The vulnerability was reported by ZDI to RARLAB on June 5th, with the two organizations working on a coordinated advisory release two weeks later.
How the WinRAR flaw works
A RARLAB advisory noted that the flaw could be exploited to cause files to be written outside the intended directory.
"This flaw could be exploited to place files in sensitive locations — such as the Windows Startup folder — potentially leading to unintended code execution on the next system login," the developer's advisory noted.
The ZDI advisory added that hackers would need to trick victims into opening a dodgy file or clicking a malicious link in order to take advantage of the flaw.
"This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR," the advisory added.
"User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file."
Update now
RARLAB said anyone using the Windows version of WinRAR should update to newly released version 7.12 to resolve the serious flaw.
"We encourage all users to update their software to the latest version," the advisory noted.
Alongside the file path flaw, the updated version of WinRAR also addressed an HTML injection vulnerability in the "generate report" feature.
"Older versions of WinRAR’s 'Generate Report' feature included archived file names in the generated HTML without sanitization, allowing file names with HTML tags to be injected into the report," the company said.
Beyond the security patches, the latest version also includes improved testing of Recover Volumes to help ensure integrity of backups, and preservation of nanosecond timestamps in Unix file records, alongside other improvements.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Mistral CEO Arthur Mensch thinks 50% of SaaS solutions could be supplanted by AINews Mensch’s comments come amidst rising concerns about the impact of AI on traditional software
-
Westcon-Comstor and UiPath forge closer ties in EU growth driveNews The duo have announced a new pan-European distribution deal to drive services-led AI automation growth
-
Researchers called on LastPass, Dashlane, and Bitwarden to up defenses after severe flaws put 60 million users at risk – here’s how each company respondedNews Analysts at ETH Zurich called for cryptographic standard improvements after a host of password managers were found lacking
-
‘They are able to move fast now’: AI is expanding attack surfaces – and hackers are looking to reap the same rewards as enterprises with the technologyNews Potent new malware strains, faster attack times, and the rise of shadow AI are causing havoc
-
Ransomware gangs are using employee monitoring software as a springboard for cyber attacksNews Two attempted attacks aimed to exploit Net Monitor for Employees Professional and SimpleHelp
-
Notepad++ hackers remained undetected and pushed malicious updates for six months – here’s who’s responsible, how they did it, and how to check if you’ve been affectedNews Hackers remained undetected for months and distributed malicious updates to Notepad++ users after breaching the text editor software – here's how to check if you've been affected.
-
CISA’s interim chief uploaded sensitive documents to a public version of ChatGPT – security experts explain why you should never do thatNews The incident at CISA raises yet more concerns about the rise of ‘shadow AI’ and data protection risks
-
Former Google engineer convicted of economic espionage after stealing thousands of secret AI, supercomputing documentsNews Linwei Ding told Chinese investors he could build a world-class supercomputer
-
90% of companies are woefully unprepared for quantum security threats – analysts say they need to get a move onNews Quantum security threats are coming, but a Bain & Company survey shows systems aren't yet in place to prevent widespread chaos
-
LastPass issues alert as customers targeted in new phishing campaignNews LastPass has urged customers to be on the alert for phishing emails amidst an ongoing scam campaign that encourages users to backup vaults.
