Old WinRAR vulnerability is exploited by government-backed actors

[harlan4096]

WinRAR users who have not updated the archiving software in some time may want to do so immediately. A report by Google's Threat Analysis Group TAG suggests that government-backed actors are exploiting a vulnerability in WinRAR for which a fix has been available for some time.

We published information about the WinRAR update that addressed the issue in August when it first came out. WinRAR 6.23 fixed the issue. It allowed malicious actors to run code on devices on successful exploitation of the vulnerability.

All it requires is that users open a specially crafted WinRAR archive on their devices. WinRAR users can patch the issue by downloading and installing the latest version, which is WinRAR 6.24 at the time of writing.

Google's report on the WinRAR vulnerability



Google discovered that multiple government-backed hacking groups are exploiting the WinRAR's CVE-2023-38831 vulnerability in recent weeks. First exploits of the issue began in early 2023, a time when anti-malware services and the maker of WinRAR were unaware of the vulnerability.

While a patch is available, Google notes that "many users still seem to be vulnerable". In other words: WinRAR users have not updated the archiving software to version 6.23 or newer since the release in August 2023.

Google provides a detailed analysis of the vulnerability in the blog post. It explains that the issue is a "logical vulnerability within WinRAR causing extraneous temporary file expansion when processing crafted archives, combined with a quirk in the implementation of Windows’ ShellExecute when attempting to open a file with an extension containing spaces".

Attackers may exploit the issue to execute arbitrary code on user devices when a "user attempts to view a benign file (such as an ordinary PNG file) within a ZIP archive".

You can check out the full blog post over on Google's blog for additional information about the vulnerability.

Closing Words

WinRAR users should download the latest version of the software from the official website and install it on their devices. This protects them from attacks that target the vulnerability.

Those who run the latest version of Windows 11 and only use WinRAR to extract archives may also consider using the new RAR extract feature of the operating system.
...

Continue Reading