Google Threat Analysis Group (TAG) has published details about a newly found vulnerability in WinRAR, a truly legendary piece of Windows software. According to TAG, numerous government-backed actors have been actively exploiting the vulnerability since the beginning of this year. What makes the situation much worse is that WinRAR has no automatic update mechanisms. Therefore, you need to update the app manually to version 6.23 or 6.24 to avoid the risk.
CVE-2023-38831 is a logical vulnerability that causes irrelevant expansion of a temporary file combined with specifics of Windows" ShellExecute when opening a file containing a space in its extension (.png_, for example). That results in hackers being able to execute arbitrary code when the target user opens an innocent-looking file, such as a PDF or PNG, within a ZIP archive.
According to Google (via The Verge), multiple government-baked groups have been actively using the vulnerability to steal data and crypto. For example, the SANDWORM group launched an email campaign targeting Ukraine"s energy sector with a decoy PDF document that looks like a training program for drone operators.
Google"s TAG says the vulnerability is highly effective, even though there is a patch to resolve it. It highlights the importance of servicing your software and ensuring it is up to date. Sadly, one of the most popular Windows apps still has no built-in update mechanisms, which is why the vulnerability has been so effective.
WinRAR users have three options: update WinRAR and continue using it; ditch the app in favor of other options, such as 7Zip or its fork, NanaZIP; or stop using third-party apps altogether. The latest Windows 11 feature update introduced native support for many archive formats, such as RAR, TAR, 7Z, and more. And even though the upgraded File Explorer is not as fast as a dedicated app, it can still get the job done. Of course, if you frequently use archives, patching your WinRAR copy as soon as possible is the best option.