WinRAR, the widely used programme for compressing and archiving files, had a serious security vulnerability in older versions. This vulnerability allowed potential attackers to execute arbitrary code after opening a suitably prepared archive. A security researcher from Trend Micro’s Zero Day Initiative had already discovered the vulnerability in June, but only made it public last Thursday. The manufacturer of WinRAR, RARLAB, plugged the gap with the help of an update at the beginning of August.

“WinRAR comes from a time when ZIP functions were not yet built in and RARs could only be unpacked with WinRAR. This is perhaps the underestimated danger. Because some users or administrators don’t even remember having a WinRAR zombie installed anywhere and therefore don’t think about updating it,” said Udo Schneider, IoT Security Evangelist Europe at Trend Micro.

Richard Werner, Business Consultant at Trend Micro, adds: “A new trend has been emerging in the criminal scene for some time now. The search for vulnerabilities continues, especially in widely used non-standard software. If an administrator does not know the background, the relatively low CVSS (Common Vulnerability Scoring System) value is also something that makes for low prioritisation in the corporate context. These are all reasons why hackers choose precisely such vulnerabilities to attack with. They’re often not known about and even if they are, they’re considered low risk.”

Comment by Richard Werner, Business Consultant at Trend Micro on the WinRAR vulnerability:

For some time now, a new trend has been emerging on the criminal scene. The search for vulnerabilities continues. But mainly in widely used non-standard software. The most recent example is the compression procedure WinRAR. In a statement published on 2 August, the manufacturer RARLAB described two notable vulnerabilities whose exploitation has already been proven and/or is relatively easy to exploit. The vulnerability CVE-2023-38831 describes that malware can be “smuggled” into specially prepared archives, while CVE-2023-40477 allows the execution of code on an affected machine. Both problems can be fixed by updating to the latest version of WinRAR. However, the updates must also be carried out and this is what causes difficulties for many companies.

How great is the danger? It is difficult to say. For CVE-2023-38831, there are apparently already “in the wild” archives that confirm exploitation. In their case, the “bad guys” were faster. So far, however, corresponding attacks have been found almost exclusively in the cryptocurrency world. Security solutions in companies usually have such attacks reliably under control thanks to modern detection methods.

Things get more interesting with 2023-40477, which was found by security researchers and is therefore not a “zero day”. The vulnerability has a CVSS score of 7.8, which is low by Remote Code Execution (RCE) standards, and is not classified as critical, but as “important”. The reason is that user interaction must occur. Only someone with access to a machine can theoretically exploit it. This is one of those cases where theory and practice depend on many things. Because having access is the goal of all actions for cyber criminals – especially in the business sector. Thus, it is enough for a vulnerable system to access prepared websites or open a corresponding file. These standard ransomware attack patterns allow the gap to be exploited and corresponding code to be executed. It is therefore only a matter of time before it is done.

Both gaps can be fixed by a simple update to the latest version. But even that is often a challenge for companies. After all, it is not standard software. Here, there may be no central update mechanism and it even happens that administrators are not aware of the existence of the software. If one does not know the background, the relatively low CVSS (Common Vulnerability Scoring System) value is also something that makes for low prioritisation in the corporate context. These are all reasons why hackers choose precisely such vulnerabilities to attack with. They are often not known and even if they are, they are considered low risk.