Do You Use WinRAR? Install This Urgent Security Update ASAP To Thwart Hackers
If you're among the masses still using WinRAR, you'd better grab the latest version, WinRAR 6.23 Final. It isn't exactly new; the release came out 21 days ago. However, when we're talking about an application that updates as infrequently as WinRAR, that might as well be yesterday. WinRAR 6.23 primarily patches up some bugs in the software, one of which was a major security issue.
Basically, by carefully crafting a RAR file in a certain way, it was possible to achieve arbitrary code execution on the victim's machine. In other words, a bad actor could offer to send you a .RAR archive full of cute kitties, and then when you double-click the file, it executes malware that lets them take over your machine.
The bugs bashed in the latest WinRAR release.
The Trend Micro security research group Zero Day Initiative first discovered the flaw, and notes that the problem was with the way WinRAR processed recovery volumes. A "lack of proper validation of user-supplied data" could result in a classical buffer overflow, allowing the bad actor to start running whatever code they want.
The issue's been patched up in the latest version of WinRAR, so as long as you're up-to-date, there's not too much to worry about. WinRAR 6.23 also plugs a hole where a carefully-crafted archive could make the application load the wrong file, which may not be quite as dangerous, but could certainly be confusing.
WinRAR 3D logo image created by Pedro Araujo.