In a detailed blog post, Check Point explained that by renaming an ACE file with a RAR extension, hackers could manipulate WinRAR to extract a malicious program to a computer's startup folder. The program would then run automatically when your computer started. Check Point says the flaw existed for 19 years. In response to the blog post, WinRAR was quick to patch the vulnerability, releasing a version 5.70 beta 1 in which it dropped support for ACE archives. Turns out the company was using a third party tool to unpack ACE archives anyway, and it hadn't been updated since 2005.
There haven't been any reported attacks using this bug. But 19 years is a pretty long-time to have a flaw like this, and with 500 million users potentially exposed, we'd say this is a major oversight on WinRAR's part. If you are one of the millions still using WinRAR, this would be a good time to update the software. The lesson for all of us is that what you did on your PC 20 years ago can indeed come back to haunt you.