Older trial versions of the WinRAR unpacker have a security flaw that can be abused by attackers in the same network under certain conditions – and, depending on the attack scenario, only after a certain user interaction with the program – in order to execute any malicious code on a target computer. The vulnerability was fixed with WinRAR 6.02 in June, but is now attracting attention because the person who discovered the bug wrote a detailed blog post about it last week.
Outdated trial version as a potential danger
WinRAR is a very popular software tool in this country that is used to pack and unpack archive files such as ZIP or RAR. Many users have installed the free trial version, which can first be used in full and then falls into a restricted Nagware mode, in which it regularly asks the user to pay for the full version. The security problem lies precisely with this function: Since many users presumably only use WinRAR to unzip archives downloaded from the Internet, it is likely that a significant number of users will continuously (continue to) use outdated free versions.
WinRAR versions older than the secured version 6.02 should be replaced by a newer version as soon as possible – especially if it is a (vulnerable) trial version. Administrators in companies in particular should be aware of the security vulnerability, as the technical restriction that it can only be misused from the same network could be of particular interest to attackers who have already gained access to a larger network, for example in a company .
Exploitability with restrictions
The security gap is due to the fact that the information screen with which WinRAR asks the user to pay for the software is generated by the MSHTML / Trident library. This is the old HTML rendering engine from Microsoft’s Internet Explorer, which developers can also integrate into their own projects. In this specific case, the WinRAR developers used the Borland C ++ implementation of MSHTML. The MSHTML library, anyway contains a remote code execution vulnerability (CVE-2021-40444), which is vulnerable here via the WinRAR screen.
If an attacker in the same network manages to manipulate the ARP traffic of the attacked system (ARP spoofing) and thus redirect the victim’s requests to a website he controls, the vulnerable WinRAR window executes any malicious code of the attacker. At this point, a second possible limitation of the exploitability of the vulnerability comes into play: Depending on the file type of the malicious code, the attacked user may be shown a security warning that requires user interaction (confirmation of the continuation with a click of the mouse). On the one hand, this warning does not apply to certain file extensions, and on the other hand, in the experience of the vulnerability discoverer, such hints are often overlooked and simply “clicked on” in everyday work.
Further details on the WinRAR vulnerability, which according to its discoverer was assigned the ID CVE-2021-35052, can be found in the blog of the security company Positive Technologies. Given the limitations on exploiting the loophole, most home users shouldn’t have to worry too much. Still, it doesn’t hurt to keep trialware tools up to date – especially when this software routinely processes downloads from unknown sources.