Security News > 2023 > August > High severity vuln in WinRAR could allow code to run when files are opened
Users of the popular WinRAR compression and archiving tool should update now to avoid a vulnerability that allows code to be run when a user opens a RAR file.
WinRAR is one of the many apps available for compressing and packaging multiple files together for distribution or archiving, and is claimed as the world's most popular compression tool with over 500 million users worldwide.
The WinRAR flaw, which has been allocated the CVE record CVE-2023-40477, is said to be due to a lack of full validation of user-supplied data when opening an archive file that could result in a memory access beyond the end of an allocated buffer.
That updated version of the application, WinRAR 6.23, also contains fixes for several other flaws, including WinRAR starting on a wrong file if a user double-clicked an item in a specially crafted archive.
Microsoft finally gets around to supporting rar, gz and tar files in Windows Cyber-snoops broke into US military contractor, stole data, hid for months Misguided call for a 7-Zip boycott brings attention to FOSS archiving tools We regret to inform you there's an RCE vuln in old version of WinRAR. Yes, the file decompression utility.
Microsoft announced back in May that it was adding support for RAR files into Windows, along with support for other archive formats, including tar, 7-zip, gz and others, thanks to the addition of the libarchive open-source library, but presumably only for Windows 11.
News URL
https://go.theregister.com/feed/www.theregister.com/2023/08/21/winrar_vuln_could_allow_code/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-05-03 | CVE-2023-40477 | RARLAB WinRAR Recovery Volume Improper Validation of Array Index Remote Code Execution Vulnerability. | 0.0 |