A recently disclosed absolute path traversal bug in the WinRAR utility is being actively leveraged in at least 100 unique exploits according to security firm McAfee.

WinRAR is a file archiver/unarchiver for the Windows platform, popular in part as it is distributed as trialware which has led to over 500 million users installing it.

The bug, which was first reported by Check Point Research, is in a little-used, third-party DLL (Dynamic Linked Library) which decodes ACE archives and was written back in 2005, when coding practices were far less defensive than they are today.  The defect in unacev2.dll allows a specially-crafted archive to place its unarchived payload into an arbitrary folder on the system, ignoring any destination folders defined by the user at unarchive time.   This means that an archive containing a malware payload which is masquerading as, say, the latest Ariane Grande album (which is one of the more popular active exploits currently) will instead deposit malware into the user’s start-up folder for execution the next time the system is rebooted. The expected bootleg music is also placed in the user’s target folder, so the user is unaware of the additional files installed.

Since WinRAR actively analyses the archive file to determine which unarchive mechanism to use, the Windows file extension is ignored.  This feature is being exploited by malware creators, who are naming their infected payloads as .RAR files – causing their target users to search out WinRAR to decode the file, even though the archive is an ACE file in reality and using WinRAR to decode it will allow the vulnerability to be leveraged.

A new version of WinRAR has been issued by the developers which drops support for the ACE format and removes the unacev2.dll file during installation;however, WinRAR does not include a mechanism to automatically check for and install updates and so many users remain using vulnerable versions.

WinRAR version 5.70 onwards has this problem fixed;however, this defect exists in version 5.61 and all previous versions.

Systems Administrators can take the following steps to protect their networks:

• Audit all systems for copies of WinRAR version 5.61 or earlier and either remove them or update them to 5.70.
• Ensure all utilities, such as WinRAR, are actively updated during monthly patching cycles to ensure users do not defer suggested updates and mitigate the risks for software that is not self-updating.
• The more software that is installed on your network, the larger the attack surface. Limit users ability to install software by removing administrator privileges from their user accounts.  This forces the users to request the IT team to provide the needed software and allows the IT administrators to ensure a suitable regime is in place to keep that software updated and remove it when it is no longer needed.

Further advice on how to manage your monthly patch cycle and keep your network secure can be found here