Do You Use WinRAR? Install This Urgent Security Update ASAP To Thwart Hackers

hero winrar security flaw
Once upon a time, WinRAR was far and away the most popular archival software for Windows. While it isn't as ubiquitous as it once was—due both to the rise of the open-source 7-Zip as well as Microsoft including archive management functions in the operating system itself—it's still extremely popular. Estimates of WinRAR's global user base range as high as 500 million people.

If you're among the masses still using WinRAR, you'd better grab the latest version, WinRAR 6.23 Final. It isn't exactly new; the release came out 21 days ago. However, when we're talking about an application that updates as infrequently as WinRAR, that might as well be yesterday. WinRAR 6.23 primarily patches up some bugs in the software, one of which was a major security issue.

Basically, by carefully crafting a RAR file in a certain way, it was possible to achieve arbitrary code execution on the victim's machine. In other words, a bad actor could offer to send you a .RAR archive full of cute kitties, and then when you double-click the file, it executes malware that lets them take over your machine.

winrar patch notes
The bugs bashed in the latest WinRAR release.

The Trend Micro security research group Zero Day Initiative first discovered the flaw, and notes that the problem was with the way WinRAR processed recovery volumes. A "lack of proper validation of user-supplied data" could result in a classical buffer overflow, allowing the bad actor to start running whatever code they want.

The issue's been patched up in the latest version of WinRAR, so as long as you're up-to-date, there's not too much to worry about. WinRAR 6.23 also plugs a hole where a carefully-crafted archive could make the application load the wrong file, which may not be quite as dangerous, but could certainly be confusing.

WinRAR 3D logo image created by Pedro Araujo.