WinRAR gap more extensive than expected

The effects of a critical security hole in the popular archive software WinRAR go further than initially thought. Programs other than WinRAR are also affected. IT security researchers have also discovered another security gap in the software that has been abused by cybercriminals since April of this year.

Advertisement

Last weekend it became known that a critical vulnerability in WinRAR could be misused by attackers to smuggle in arbitrary program code (CVE-2023-40477, CVSS 7.8, risk “high”). The problem was based on an inadequate check of data in so-called recovery volumes for RAR archives, which allowed write access outside of the intended storage areas. Opening carefully prepared archives is enough to smuggle malicious code onto vulnerable computers.

WinRAR: vulnerability in other programs as well

The update to WinRAR 6.23, which closes the vulnerability, was distributed from August 2nd. However, the fact that the unrar.dll and unrar64.dll libraries from Rarlabs were also vulnerable and included with other software has largely gone unnoticed. An update for the popular file manager Total Commander, for example, explicitly corrects the error: “Critical security hole in unrar.dll (from RARLAB) fixed, also available as a separate download,” the developers write there in the changelog.

Andreas Marx from AV-Test contacted heise Security and wrote us that he found “over 400 programs that use ‘unrar.dll’ or ‘unrar64.dll’ (with a last update before August 01, 2023) in our Clean File database found”. Antivirus software often also uses publicly available libraries and could be vulnerable – after all, the manufacturers are likely to use the automatic update mechanisms to distribute error-corrected versions. The Windows internal ZIP tool will soon also receive support for RAR archives with the libarchive code base. However, the publicly available Rarlab unrar code is based on C++, while libarchive uses what is believed to be its own C implementation. In case of doubt, Microsoft would still have time to address the potential vulnerability before publication.

Zero-day vulnerability in WinRAR

In the meantime, the IT security researchers from GroupIB write in a blog entry about malware “DarkMe”, which they examined on July 10 of this year. This abused a security gap in the processing of ZIP formats in WinRAR in order to smuggle and execute malicious code on victims’ computers. The vulnerability makes it possible to obfuscate file extensions so that supposed images are listed as .jpg or documents as .txt in the prepared archives (CVE-2023-38831, no CVSS classification yet). However, behind it was malware, which victims unwittingly launched by double-clicking.

Advertisement

Manipulated ZIP files were distributed by cyber criminals in trading forums containing DarkMe, GuLoader or Remcos RAT malware and allowing the brokers who executed the malicious code to withdraw money. There are currently 130 devices from dealers infected. The attacks have taken place since April 2023. WinRAR 6.23 also closes this vulnerability.

If not already done, WinRAR users should update to the latest version of the software. In addition, other programs will soon offer updates that bring and use vulnerable unrar libraries.

(dmk)

Go to home page
#WinRAR #gap #extensive #expected