WinRAR fixes High Severity Vulnerability, update recommended

A significant vulnerability has been patched in WinRAR, the most famous never paid file archiver utility for Windows operating systems.

The vulnerability, tracked as CVE-2023-40477 (CVSS score 7.8), allows for potential execution arbitrary commands on a target computer system by exploiting a flaw when opening a specially crafted RAR file. In simple terms, if an attacker sends the victim a malicious RAR file, the victim will be compromised by simply opening the archive.

 The vulnerability is attributed to improper validation of user-supplied data during the processing of recovery volumes, leading to memory access beyond allocated buffers.

Although the exploit requires the severity rating of 7.8 according to the CVSS system reflects that, from a practical standpoint, user manipulation isn't an insurmountable challenge. Given the extensive user base of WinRAR, attackers have ample opportunities for successful exploitation.

RARLAB promptly addressed this vulnerability by releasing WinRAR version 6.23 on August 2nd, 2023. This update not only rectifies the CVE-2023-40477 issue but also tackles another high-severity concern involving incorrectly initiated files from specially crafted archives.

Update - The libraries unrar.dll and unrar64.dll, used by third-party applications, are also vulnerable. While some applications have released updates to resolve the issue, others are still using older versions of the library files, which remain vulnerable.

Administrators and home users should  run searches for the two library files on their devices and then try to locate which program uses these libraries. Or just rename the DLL files and see what fails.

It's noteworthy that Microsoft is testing native support for RAR, 7-Zip, and GZ files on Windows 11. Consequently, third-party software like WinRAR may no longer be essential unless users require its advanced features.