As mentioned before, computer security threats and vulnerabilities are complex and difficult. In the last couple of months a threat has been discovered and is now ‘in the wild’ and compromising user’s machines. It is an excellent example of why this stuff is hard.
What is WinRaR and How Did It Become Compromised?
Warning: it’s about to get really nerdy here so if you want to skip down to the “What Do I Do” section, I’ll understand. Really.
One of the most popular free software programs for almost two decades is WinRAR. WinRAR manages archive files. Those are the compressed files used to make large files smaller for speed of download and space saving. Over the years there have been a ton of different archive formats and WinRAR supported, among others, *.zip, *.cab, *.uue, *.rar, and the list goes on. The company that created WinRAR, RARLABS, indicates that approximately 500 Million(!) copies of Win RAR have been downloaded over the last 19 years. Here’s the rub… a security vulnerability has been discovered in WinRAR and it has existed for years. So long, in fact, that the source code for the *.dll that is used for *.ace files doesn’t exist!
One of the obscure archive file types supported by WinRAR is the *.ace file. In the code base for the software, there is a vulnerability that allows an adversary to implant malware in your computer if you extract an *.ace file. The problem is that a malformed *.ace can place persistent, executable code into your start-up folder. If you decompress a bad *.ace archive, your computer gets owned as soon as it is restarted. Of the 100 or so exploits of this vulnerability in the wild, the most prevalent has been a ransomware attack. The executable in the start-up folder ‘phones home’ and downloads the bad stuff and puts it on your computer. The executable is installed without any user interaction or warning.
So, you say, just don’t click on or extract a file with the .ace extension. Not so much. WinRAR, in the extraction process, ignores the file extension when it determines the archive type. It makes that determination from the file header embedded in the file. So, a file with any of the archive extensions associated with WinRAR (*.zip, etc.) will trigger WinRAR and extract the mal-formed code.
Additionally, WinRAR doesn’t have an automated update process. In other words, when the vulnerability was discovered, there was not a process to automatically push the fix out to users. Also complicating the warning process is the age of the software. How many of the 1/2 Billion users still have the same email they may have used 15 years ago to register the software to receive a warning of the vulnerability from RARLABS?
How Do I Prevent Cybersecurity and Computer Viruses?
First, if you use WinRAR, update to version 5.7 or later. That version removes support for *.ace archives. Not a big problem…. I don’t recall even hearing that extension mentioned much less ever encountering one. After you get the update, you’re good to go… for the moment.
Second, DON’T CLICK ON EMAIL ATTACHMENTS FROM UNKNOWN OR UNEXPECTED SOURCES! This vulnerability is based on a phishing attack. If you were to get a link for the new Ariana Grande album in a compressed format from grandma, it’s a good bet grandma’s email has been compromised.
Finally, regularly clean-up your computer. If you have software installed that you don’t use, uninstall it. In this case, an old (19 years) bit of code was found to have an available vulnerability and that threat is being exploited. It’s just a bad idea to have code on your computer that you don’t use. Just because you don’t use it doesn’t mean that someone else won’t, given the chance.
NerdsToGo Computer Repair Service in McKinney & Frisco Can Help!
Here at your local NerdsToGo, we offer all types of residential computer repair in McKinney, Frisco and nearby areas of TX. We can help you by upgrading your computer to the latest and greatest security software and provide on-going best practice tips to keep you and your family safe while online. No need to unplug and drag your computer in, our highly trained Nerds will come to you!
We also offer expert business IT solutions in Frisco, McKinney and nearby to help keep your business data safe through services like remote data monitoring and management (RMM) services, custom cybersecurity solutions, networking & firewall services, and much more! Check out our business services page for more info. Or feel free to give us a call at 496-325-3912 or contact us online to schedule and on-site appointment with one of our Nerds.