Threat Management, Malware, Vulnerability Management

Hack U: Ariana Grande file is one of 100+ ways attackers are exploiting WinRAR bug

Researchers from McAfee have observed more than 100 different exploits for a now-patched 19-year-old remote code execution vulnerability in the WinRAR compression tool ever since the path traversal bug was disclosed last month.

One of the more unique exploit attempts to infect unpatched victims with malware using a bootlegged copy of Ariana Grande's "Thank U, Next" album as a lure, reports Craig Schmugar, principal engineer and senior security research architect at McAfee, in a March 14 company blog post.

"When a vulnerable version of WinRAR is used to extract the contents of this archive, a malicious payload is created in the Startup folder behind the scenes," explains Schmugar. "User Account Control (UAC) does not apply, so no alert is displayed to the user. The next time the system restarts, the malware is run."

With more 500 million users (according to the WinRAR website), WinRAR is used to create and view archives in .rar or .zip file formats, as well as unpack various archive files.

Revealed last February by researchers at Check Point Software Technologies, the flaw, CVE-2018-20250, affects WinRAR versions 5.61 and earlier. The problem was fixed in version 5.70, which was issued in a beta release last January and again in a stable release on Feb. 26.

The entry for CVE-2018-20250 in NIST's National Vulnerability Database states that the bug emerges in unpatched versions "when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path... This logical bug allows the extraction of a file to an arbitrary location which is effectively code execution."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.