News:

Rings of Reznor!

Main Menu

winrar

Started by Panther_Gunn, March 18, 2019, 10:57:30 PM

Previous topic - Next topic

Panther_Gunn

I know there's more than a couple of us stubborn old farts seasoned, thrifty individuals that continue to use the same programs for a long time around here, so there's probably more than a couple of us still using WinRAR to open, and perhaps still compress, things.  However, if you're using a version older than 5.7, just released last month, read on.

One of the archive format decompressors that WinRAR has been supporting probably since it's beginning, ACE, has been found to have a security flaw that would allow anything archived with that format to unpack files in folders other than what the program/user chooses, such as Windows/System32, the C: root directory, or the Startup folder.  Since WinRAR uses the content to determine which type of archive it's working with rather than the file extension, malicious files could be archived with the ACE format & have the file extension changed to .rar or .zip to appear innocent.

In their most recent posting, WinRAR addresses this, saying that the unpacker for the ACE format hasn't been updated since 2005, and the source code isn't available (Wikipedia has it listed as abandonware), and has dropped it from their newest release.

Long story short, if you are using any version of WinRAR prior to v5.7 (which just got released last month) you should either stop using it (7-zip is still free) or disable the ACE unpacker.  To do this, go into the WinRAR folder under Program Files, and find the file UNACEV2.dll.  Rename or delete that file, and WinRAR will no longer be able to open ACE files, but should still work fine otherwise.
The Best There Is At What I Do......when I have the time.