A high-severity security flaw has been disclosed within the WinRAR utility that could possibly be doubtlessly exploited by a menace actor to realize distant code execution on Home windows methods.
Tracked as CVE-2023-40477 (CVSS rating: 7.8), the vulnerability has been described as a case of improper validation whereas processing restoration volumes.
“The problem outcomes from the dearth of correct validation of user-supplied knowledge, which may end up in a reminiscence entry previous the tip of an allotted buffer,” the Zero Day Initiative (ZDI) stated in an advisory.
“An attacker can leverage this vulnerability to execute code within the context of the present course of.”
Profitable exploitation of the flaw requires person interplay in that the goal should be lured into visiting a malicious web page or by merely opening a booby-trapped archive file.
A security researcher, who goes by the alias goodbyeselene, has been credited with discovering and reporting the flaw on June 8, 2023. The problem has been addressed in WinRAR 6.23 launched on August 2, 2023.
“A security difficulty involving out of bounds write is mounted in RAR4 restoration volumes processing code,” the maintainers of the software program stated.
The most recent model additionally addresses a second difficulty whereby “WinRAR may begin a fallacious file after a person double clicked an merchandise in a specifically crafted archive.” Group-IB researcher Andrey Polovinkin has been credited for reporting the issue.
Customers are really helpful to replace to the newest model to mitigate potential threats.