WinRAR vulnerability

August 25, 2023

WinRAR, the widely used programme for compressing and archiving files, had a serious security vulnerability in older versions. This vulnerability allowed potential attackers to execute arbitrary code after opening a suitably prepared archive. A security researcher from Trend Micro’s Zero Day Initiative had already discovered the vulnerability in June, but only made it public last Thursday. The manufacturer of WinRAR, RARLAB, plugged the gap with the help of an update at the beginning of August.

“WinRAR comes from a time when ZIP functions were not yet built in and RARs could only be unpacked with WinRAR. This is perhaps the underestimated danger. Because some users or administrators don’t even remember having a WinRAR zombie installed anywhere and therefore don’t think about updating it,” said Udo Schneider, IoT Security Evangelist Europe at Trend Micro.

Richard Werner, Business Consultant at Trend Micro, adds: “A new trend has been emerging in the criminal scene for some time now. The search for vulnerabilities continues, especially in widely used non-standard software. If an administrator does not know the background, the relatively low CVSS (Common Vulnerability Scoring System) value is also something that makes for low prioritisation in the corporate context. These are all reasons why hackers choose precisely such vulnerabilities to attack with. They’re often not known about and even if they are, they’re considered low risk.”

Comment by Richard Werner, Business Consultant at Trend Micro on the WinRAR vulnerability:

For some time now, a new trend has been emerging on the criminal scene. The search for vulnerabilities continues. But mainly in widely used non-standard software. The most recent example is the compression procedure WinRAR. In a statement published on 2 August, the manufacturer RARLAB described two notable vulnerabilities whose exploitation has already been proven and/or is relatively easy to exploit. The vulnerability CVE-2023-38831 describes that malware can be “smuggled” into specially prepared archives, while CVE-2023-40477 allows the execution of code on an affected machine. Both problems can be fixed by updating to the latest version of WinRAR. However, the updates must also be carried out and this is what causes difficulties for many companies.

How great is the danger? It is difficult to say. For CVE-2023-38831, there are apparently already “in the wild” archives that confirm exploitation. In their case, the “bad guys” were faster. So far, however, corresponding attacks have been found almost exclusively in the cryptocurrency world. Security solutions in companies usually have such attacks reliably under control thanks to modern detection methods.

Things get more interesting with 2023-40477, which was found by security researchers and is therefore not a “zero day”. The vulnerability has a CVSS score of 7.8, which is low by Remote Code Execution (RCE) standards, and is not classified as critical, but as “important”. The reason is that user interaction must occur. Only someone with access to a machine can theoretically exploit it. This is one of those cases where theory and practice depend on many things. Because having access is the goal of all actions for cyber criminals – especially in the business sector. Thus, it is enough for a vulnerable system to access prepared websites or open a corresponding file. These standard ransomware attack patterns allow the gap to be exploited and corresponding code to be executed. It is therefore only a matter of time before it is done.

Both gaps can be fixed by a simple update to the latest version. But even that is often a challenge for companies. After all, it is not standard software. Here, there may be no central update mechanism and it even happens that administrators are not aware of the existence of the software. If one does not know the background, the relatively low CVSS (Common Vulnerability Scoring System) value is also something that makes for low prioritisation in the corporate context. These are all reasons why hackers choose precisely such vulnerabilities to attack with. They are often not known and even if they are, they are considered low risk.

Related Articles

Smart Cities market predicted to top $1,100 billion by 2028

Smart Cities market predicted to top $1,100 billion by 2028

The adoption of smart cities has witnessed a remarkable surge in recent years, driven by advancements in technology, growing urbanisation, and increasing recognition of the benefits of smart solutions.  This market is, according to the latest research from...

One year of Cell Broadcast in Baden-Württemberg

One year of Cell Broadcast in Baden-Württemberg

Minister Thomas Strobl: "The last 12 months have shown that cell broadcasting enables us to reach a large number of people quickly and easily in an emergency" "In the event of imminent danger or damage, it is crucial that we warn the population and give people...

Swiss employees worried: survey reveals fears of takeover by AI

Swiss employees worried: survey reveals fears of takeover by AI

Almost a fifth (19%) of Swiss employees fear that AI will have a negative impact on their job. Skilled workers in the information and communication technology sector (28%) are most worried about being replaced by AI. The sector that is least afraid of AI taking over...

Share This