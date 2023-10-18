Key Takeaways WinRAR's popularity is being threatened by Windows 11's native support for compression formats, but users should update the software due to a security vulnerability being exploited by state-sponsored actors.

The vulnerability allowed threat actors to execute malicious code when users opened seemingly harmless files within ZIP archives.

The exploitation of the vulnerability highlights the importance of keeping software up to date and the need for vendors to offer easier ways to update software.

WinRAR is one of the most used compression utilities out there, although Windows 11 might be looking to make a dent in its popularity with native support for 7Z, RAR, and TAR.GZ formats. However, those who leverage WinRAR may want to update the software as soon as possible as a security vulnerability is reportedly being exploited by certain state-sponsored actors.

In a blog post penned by Google, the company says that its Threat Analysis Group (TAG) has identified multiple instances of hacking groups utilizing a now-patched vulnerability in WinRAR. Apparently, the archiving software hosted a security bug that caused "extraneous temporary file expansion when processing crafted archives, combined with a quirk in the implementation of Windows' ShellExecute when attempting to open a file with an extension containing spaces." This meant that a threat actor could execute malicious code if a user opened a seemingly safe file within a ZIP archive.

Although the security hole was plugged by WinRAR developer RARLabs in August 2023, multiple hacking groups like FROZENBARENTS, FROZENLAKE, and ISLANDDREAMS have been leveraging the issue in unpatched software to run malicious campaigns in several countries like Ukraine and Papua New Guinea.

The key reason behind the widespread exploitation is that WinRAR does not automatically update, which means that customers who are running an older version of the software are vulnerable to exploitation. As of now, WinRAR version 6.23 and 6.24 contain the security fix in question.

Google has noted that the spread of this exploit does not only emphasize the importance of users keeping their software up to date, but also the need for vendors to offer easier ways to update software. If you're curious about how the vulnerability is exploited or want to know about the associated indicators of compromise (IOCs), make sure to check out the company's detailed blog post.