Hackers are exploiting critical WinRAR bug exposed last month
Towards the end of last month, security researchers revealed details of a critical bug in that stalwart of the compression world, WinRAR. The bug is many years old and although it relates to the rarely-used ACE format and has since been patched, it has been discovered hackers are actively exploiting it since it was made public.
The 19-year-old bug in the file UNACEV2.DLL (CVE-2018-20250) allows for an attacker to execute malicious files hidden in compressed archives. Over 100 exploits have been found that take advantage of people who are yet to update to a secure version of the software... and that number is growing. McAfee reports attackers using Ariana Grande's album "Thank U, Next" as a lure to encourage victims to extract dangerous archives, but other security researchers report the use of images.
- Security researchers reveal details of serious bug in compression tool WinRAR
- Microsoft Word bug can be used to bypass security systems
- GitHub widens the scope of its bug bounty program and increases rewards
In a blog post, McAfee's Craig Schmugar reports that "in the first week since the vulnerability was disclosed, McAfee has identified over 100 unique exploits and counting". Most of these cases are in the US. He explains how victims are tricked into installing malware on their systems:
One recent example piggybacks on a bootlegged copy of Ariana Grande's hit album "Thank U, Next" with a file name of "Ariana_Grande-thank_u,_next(2019)_.rar"
When a vulnerable version of WinRAR is used to extract the contents of this archive, a malicious payload is created in the Startup folder behind the scenes. User Account Control (UAC) does not apply, so no alert is displayed to the user. The next time the system restarts, the malware is run.
360 Threat Intelligence Center also reports that attackers are using compressed archive packed with image files to entice victims:
As predicted, we captured multiple samples using this vulnerability in the following days and also observed some related APT attacks. Obviously, attackers use this exploit in a more delicate way. For example, they embed lots of pictures and lure the target to decompress since those cannot be previewed in the compressed archive, encrypt the malicious ACE file before delivering, and so on.
To help mitigate against the attacks, and update has been released for WinRAR that drops support for the little-used ACE format and removes the vulnerable UNACEV2.DLL file. In releasing WinRAR 5.70, RAR Labs explained:
WinRAR has always been known for its wide support of all popular compression formats. A recent report by Check Point Software revealed a potential security vulnerability in the UNACEV2.DLL library, which was used in former versions of WinRAR to decompress ACE archives. There haven't been any reported attacks so far, but to provide WinRAR users with a stable and clean version, the final version of WinRAR 5.70 has been released. Since UNACEV2.DLL had not been updated since 2005 and access to its source code is not available, the decision was made to drop ACE archive support starting with WinRAR 5.70. Now, after the launch of the final and stable version of WinRAR 5.70, upgrading immediately to the new 5.70 version is highly recommended.
To users who are not interested in an upgrade or who don't find a localized version of WinRAR 5.70 yet, win.rar GmbH's advice is to delete the UNACEV2.DLL file from their current WinRAR version to be reliably protected again. All users of WinRAR 5.10 or any newer version can find the UNACEV2.DLL file in the WinRAR program folder. WinRAR users of versions older than 5.10, can find the UNACEV2.DLL file in the Formats subfolder of the WinRAR program.
The problem, however, is that while WinRAR is installed on a large number of systems, it is a shareware tool which many users have installed only for occasional use and such people are unlikely to be aware that there is a security issue that requires an update to be installed.