A new version of the file archiving software WinRAR fixes two vulnerabilities that could allow an attacker to execute code on a target system. All the victim has to do is to open a specially crafted archive.
After receiving a report about the vulnerability in June, a new version of the software was published on August 2, 2023. Users should install the latest version (WinRAR 6.23 or later) at their earliest convenience.
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE patched in this update is CVE-2023-40477 (with a CVSS score of 7.8 out of 10).
The vulnerability lies in how the software processes recovery volumes. The issue is due to the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.
The update release notification states that another vulnerability was fixed, described as:
> "WinRAR could start a wrong file after a user double clicked an item in a specially crafted archive."
So, until you have installed the new version, it is advisable to be careful when someone sends you an archived file. Opening the archive to scan the content is not a safe option right now.
Given the great many users of WinRAR the impact of these vulnerabilities could be substantial, knowing that similar flaws were abused by hackers in the past to install malware.
Windows 11 users are likely to hold of on installing the latest version, because Microsoft announced their latest operating system (OS) will natively support RAR and some other archive formats.
> "We have added native support for additional archive formats, including tar, 7-zip, rar, gz and many others using the libarchive open-source project. You now can get improved performance of archive functionality during compression on Windows."
Users of a cracked version of the software, which is probably another big group of users, will not be able to install the latest version right off the shelf, so they may remain vulnerable as well.
We don't just report on vulnerabilities–we identify them, and prioritize action.
Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.