If you use Winrar update it now (UNACE lib, this vuln may be in other programs, too)
raed last edited by Gwen-Dragon
If you are one of Winrar compression software 500 million users, make sure to update to the latest version immediately.
Researchers from Check Point Software discovered a 14 year old code-execution vulnerability in the UNACEV2.DLL library that Winrar uses to extract .ACE files which has not been updated since 2005.
Full article here.
Quick note: I would imagine that this vulnerability is also present in other compression software that uses the UNACEV2.DLL library to open .ACE files.
modedit added title and tags
And Powerarchiver 2018 uses a old lib UNACEV2.DLL from 2007. See statement from Powerarc.
And Avast uses this lib, too.
Pathduck last edited by Pathduck
Let's see, I have:
- One old UNACE32.EXE from 2001 in my old tools folder - no idea if it affects this, and I never use it anyway.
- One unacev2.dll in Total Commander - Reply from author of TC, not a big issue.
- And of course one in WinRAR - which I rarely use, and certainly not for ACE files.
But I can't remember any situation at least the last 10-15 years where I've encountered an ACE file. Does anyone even use it anymore with the availability of 7zip and Zip built-in to Windows (and I assume Linux desktops?).
I guess people could be tricked into unpacking an ACE archive downloaded from somewhere if they use WinRAR as their main archive tool and/or have file extensions not showing, making it look like a general archive type.
But it would very much be an extreme edge case.
raed last edited by raed
Total commander also uses UNACEV2.DLL and is affected by this exploit, as discussed here on their forum.
Gotta love the fix.
You can actually manually fix whatever version you have without updating.
If you install the latest WinRAR it simply deletes the dll and removes ACE support.
Over 100 Exploits Found for 19-Year Old WinRAR RCE Bug