WinRAR Removes ACE Support to fix 19-Year-Old Vulnerability

Discussion of news of interest or importance.

Moderator: EasyList Authors

Post Reply
User avatar
smed79
Liste AR Author
Liste AR Author
Posts: 14725
Joined: Sun Jan 17, 2010 4:00 am
Reputation: 175
Location: EasyList Forum

WinRAR Removes ACE Support to fix 19-Year-Old Vulnerability

Post by smed79 » Fri Feb 22, 2019 9:16 pm

WinRAR Removes ACE Support to fix 19-Year-Old Vulnerability
WinRAR Version 5.70 wrote:Nadav Grossman from Check Point Software Technologies informed us
about a security vulnerability in UNACEV2.DLL library.
Aforementioned vulnerability makes possible to create files
in arbitrary folders inside or outside of destination folder
when unpacking ACE archives.

WinRAR used this third party library to unpack ACE archives.
UNACEV2.DLL had not been updated since 2005 and we do not have access
to its source code. So we decided to drop ACE archive format support
to protect security of WinRAR users.
Check Point Research blog post detailing how it works
https://research.checkpoint.com/extract ... om-winrar/

Video demo
https://www.youtube.com/watch?v=R2qcBWJzHMo

Update WinRAR
https://www.rarlab.com/download.htm
•► Before posting, to find your answer fast, read Forum « RULES » and use « Search »
••► Don't post clickable links » use inline text bbcode notation « [ C ] » or « [ code ] »
•••► Use vgy.me, imgur.com or imgbb.com to upload your screenshots

Post Reply