A significant-severity security flaw has been disclosed in the WinRAR utility that could be likely exploited by a risk actor to attain distant code execution on Windows devices.
Tracked as CVE-2023-40477 (CVSS rating: 7.8), the vulnerability has been described as a circumstance of improper validation although processing recovery volumes.
“The issue outcomes from the lack of appropriate validation of user-provided information, which can final result in a memory accessibility past the conclusion of an allocated buffer,” the Zero Working day Initiative (ZDI) explained in an advisory.
“An attacker can leverage this vulnerability to execute code in the context of the existing method.”
Productive exploitation of the flaw involves person interaction in that the goal have to be lured into browsing a destructive website page or by simply opening a booby-trapped archive file.
A security researcher, who goes by the alias goodbyeselene, has been credited with getting and reporting the flaw on June 8, 2023. The issue has been tackled in WinRAR 6.23 introduced on August 2, 2023.
“A security issue involving out of bounds generate is preset in RAR4 restoration volumes processing code,” the maintainers of the software package stated.
The most up-to-date model also addresses a 2nd issue whereby “WinRAR could start a completely wrong file immediately after a consumer double clicked an merchandise in a specially crafted archive.” Group-IB researcher Andrey Polovinkin has been credited for reporting the dilemma.
Buyers are recommended to update to the most recent model to mitigate likely threats.
Discovered this short article appealing? Stick to us on Twitter and LinkedIn to study much more special material we put up.
Some parts of this posting are sourced from: