Why you can trust us

Engadget has been testing and reviewing consumer tech since 2004. Our stories may include affiliate links; if you buy something through a link, we may earn a commission. Read more about how we evaluate products.

WinRAR patched 19-year-old bug that left millions vulnerable

WinRAR gets back at us all for hitting “next time” when prompted to pay.

Remember that early 2000s software that extracted .zip files and just about any other file archive on your Windows PC, WinRAR? The one that constantly bugged you to buy it but could be duped by clicking "next time"? Well, if you're one of the 500 million people who've used WinRAR over the years, the joke's on you. Researchers at Check Point Research uncovered a 19-year-old bug that created a security breach in your hard drive.

In a detailed blog post, Check Point explained that by renaming an ACE file with a RAR extension, hackers could manipulate WinRAR to extract a malicious program to a computer's startup folder. The program would then run automatically when your computer started. Check Point says the flaw existed for 19 years. In response to the blog post, WinRAR was quick to patch the vulnerability, releasing a version 5.70 beta 1 in which it dropped support for ACE archives. Turns out the company was using a third party tool to unpack ACE archives anyway, and it hadn't been updated since 2005.

There haven't been any reported attacks using this bug. But 19 years is a pretty long-time to have a flaw like this, and with 500 million users potentially exposed, we'd say this is a major oversight on WinRAR's part. If you are one of the millions still using WinRAR, this would be a good time to update the software. The lesson for all of us is that what you did on your PC 20 years ago can indeed come back to haunt you.