Latest in Gear

Image credit: ValeryBrozhinsky via Getty Images

WinRAR patched 19-year-old bug that left millions vulnerable

WinRAR gets back at us all for hitting “next time” when prompted to pay.
823 Shares
Share
Tweet
Share
Save

Sponsored Links

ValeryBrozhinsky via Getty Images

Remember that early 2000s software that extracted .zip files and just about any other file archive on your Windows PC, WinRAR? The one that constantly bugged you to buy it but could be duped by clicking "next time"? Well, if you're one of the 500 million people who've used WinRAR over the years, the joke's on you. Researchers at Check Point Research uncovered a 19-year-old bug that created a security breach in your hard drive.

In a detailed blog post, Check Point explained that by renaming an ACE file with a RAR extension, hackers could manipulate WinRAR to extract a malicious program to a computer's startup folder. The program would then run automatically when your computer started. Check Point says the flaw existed for 19 years. In response to the blog post, WinRAR was quick to patch the vulnerability, releasing a version 5.70 beta 1 in which it dropped support for ACE archives. Turns out the company was using a third party tool to unpack ACE archives anyway, and it hadn't been updated since 2005.

There haven't been any reported attacks using this bug. But 19 years is a pretty long-time to have a flaw like this, and with 500 million users potentially exposed, we'd say this is a major oversight on WinRAR's part. If you are one of the millions still using WinRAR, this would be a good time to update the software. The lesson for all of us is that what you did on your PC 20 years ago can indeed come back to haunt you.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
823 Shares
Share
Tweet
Share
Save

Popular on Engadget

Engadget's Guide to Privacy

Engadget's Guide to Privacy

View
T-Mobile’s Sprint merger is opposed by 18 state attorneys general

T-Mobile’s Sprint merger is opposed by 18 state attorneys general

View
Microsoft plans to bring broadband to 9 million more Americans

Microsoft plans to bring broadband to 9 million more Americans

View
California governor signs labor law meant to fix the gig economy

California governor signs labor law meant to fix the gig economy

View
India effectively bans e-cigarettes

India effectively bans e-cigarettes

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr