If you’ve used a Windows PC in the 2000s, chances are that you’ve used or come across WinRAR. The popular file extraction software boasts of 500 million users. It allows users to extract ZIP and other file archives on their Windows PC. You could even use it without really paying for it. Recently, researchers uncovered a 19-year-old bug that could have affected millions of PCs.
Security researchers at Check Point Research claimed to have discovered a bug that could allow hackers to manipulate WinRAR. The bug allowed hackers to let WinRAR extract a program into a PC’s startup folder. After that, the malicious program could run every single time the PC was booted. Researchers say the bug had existed for 19 years.
Check Point Research explained the bug in a detailed blog post on their website. Its researchers claim all someone had to do was rename an ACE archive with a RAR extension. WinACE, the program capable of creating ACE archives, hasn’t been updated since 2007.
In a response to Check Point Research, WinRAR has now fixed the bug with a fresh software update. The vulnerability has been patched in the latest version 5.70 beta 1. On Thursday, the company has also released the second beta of version 5.70.
The bug seemed more of a loophole because WinRAR supported ACE archives via a third party tool. WinRAR has now completely dropped support for ACE archives since it’s ancient now, and therefore not used any more.
Although there haven’t been any reports of hackers exploiting of this vulnerability over the years, but with 500 million users and a bug having existed for 19 years, it seems quite a massive thing. In case you still use WinRAR, make sure you update the software as soon as the fresh stable release is out.