08-19-2023 , 11:59 AM
WinRAR V6.23 Fix-winrar-flaw-lets-hackers-run-programs-when-you-open-rar-archives
Mitigating the risk
RARLAB released WinRAR version 6.23 on August 2nd, 2023, effectively addressing CVE-2023-40477. Therefore, WinRAR users are strongly advised to apply the available security update immediately.
Download:-
https://www.win-rar.com/download.html?&L=0
I have V6.22. Just downloaded V6.23 and Installed. WinRAR retained my existing license.
Article:-
www.bleepingcomputer.com/news/security/winrar-flaw-lets-hackers-run-programs-when-you-open-rar-archives/
A high-severity vulnerability has been fixed in WinRAR, the popular file archiver utility for Windows used by millions, that can execute commands on a computer simply by opening an archive.
The flaw is tracked as CVE-2023-40477 and could give remote attackers arbitrary code execution on the target system after a specially crafted RAR file is opened.
The vulnerability was discovered by researcher "goodbyeselene" of Zero Day Initiative, who reported the flaw to the vendor, RARLAB, on June 8th, 2023.
"The specific flaw exists within the processing of recovery volumes," reads the security advisory released on ZDI's site.
"The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer."
As a target needs to trick a victim into opening an archive, the vulnerability's severity rating drops down to 7.8, as per the CVSS.
However, from a practical perspective, deceiving users into performing the required action shouldn't be overly challenging, and given the vast size of WinRAR's user base, attackers have ample opportunities for successful exploitation.
Please move into correct Thread if this not the correct Thread.