Skip to content

DEV Community

Andrew (he/him)

Posted on Feb 20, 2019

14-Year-Old Security Hole Found in WinRAR

#news #link

Details at arstechnica:

"The vulnerability was the result of an absolute path traversal flaw that resided in UNACEV2.DLL, a third-party code library that hasn’t been updated since 2005. The traversal made it possible for archive files to extract to a folder of the archive creator’s choosing, rather than the folder chosen by the person using the program. Because the third-party library doesn’t make use of exploit mitigations such as address space layout randomization, there was little preventing exploits."

Top comments (3)

Subscribe

Olivier “Ölbaum” Scherler • Feb 20 '19

And it wasn’t noticed earlier because it only affects people who bought WinRAR? ;-)

Sébastien Vercammen • Feb 22 '19

19-year old bug.

Researchers who found it, and how: research.checkpoint.com/extracting...

Andrew (he/him) • Feb 22 '19

Wow! That's a really detailed explanation!

Read next

Async vs. Defer: A Simple Explanation of Script Loading

Ankan Talukdar - Nov 7

Tech Watch 3

56kode - Nov 7

Strongly typed web APIs with gRPC

Niko Kiirala - Nov 7

A Comprehensive Guide to Dockerfile Creation with Explanation of Key Commands

Manikanta - Nov 7

Andrew (he/him)

Got a Ph.D. looking for dark matter, but not finding any. Now I code full-time. Je parle un peu français.

Location

Ottawa, Canada
Education

Ph.D. in [Astroparticle] Physics
Pronouns

he / him
Work

Principal Consultant at Improving
Joined

Sep 15, 2018

Code is Political

#blacklivesmatter #politics #history #news

20 Reasons to Move On from Java 8

Darwinism in Programming Language Proliferation

#news #discuss #languagetheory