UPDATE – WinRAR ACE Format Vulnerability

UPDATE 23 March 2019 …

More than 100 exploits have been discovered that are exploiting the WinRAR vulnerability. Two such attacks involve:

  • A bootlegged copy of Ariana Grande’s hit album “Thank U, Next” with a file name of “​Ariana_Grande-thank_u,_next(2019)_[320].rar ​” that is currently only being detected as malware by 11 security products, whereas 53 antivirus products fail to detect it
  • an archive called “vk_4221345.rar” that delivers a new Ransomware malware payload they named JNEC.a.

As it is also attacking the RAR archive format, this bug is clearly not just limited to the ACE format.

WinRAR does not have an automated update facility, so you really need to upgrade your version now to WinRAR v5.70 or later, which may well involve buying a new version. Or, maybe you need to consider a change to a product that does have an auto-update capability.

Original Blog Post …

A vulnerability was discovered in the ACE archive format that allowed for a very old (19 years) “Absolute Path Traversal” bug that could be leveraged to execute malware on the infected system. This was delivered using a specially crafted ACE archive that allows hackers to extract files to a location of their choice, which could easily be a system location that replaces system files with their own or the start-up directory in Windows.

ACE is a proprietary data compression archive file format developed by Marcel Lemke, and later bought by e-merge GmbH. The peak of its popularity was 1999–2001, when it provided slightly better compression rates than RAR, which has since become more popular (Wikipedia).

The support for the ACE format has now been removed from WinRAR, hence the advice to do an update.

This issue has been widely reported in the press, so it shouldn’t be hard to find a full technical breakdown of this issue if you really want to. It is also tracked under the CVE number CVE-2018-20250.

Headline image provided by ShutterStock

Comments are closed.

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: