14-Year-Old Security Hole Found in WinRAR

twitter logo github logo ・1 min read

Details at arstechnica:

"The vulnerability was the result of an absolute path traversal flaw that resided in UNACEV2.DLL, a third-party code library that hasn’t been updated since 2005. The traversal made it possible for archive files to extract to a folder of the archive creator’s choosing, rather than the folder chosen by the person using the program. Because the third-party library doesn’t make use of exploit mitigations such as address space layout randomization, there was little preventing exploits."

twitter logo DISCUSS (3)
markdown guide
 

And it wasn’t noticed earlier because it only affects people who bought WinRAR? ;-)

 
Classic DEV Post from Mar 15

What was your win this week?

Got to all your meetings on time? Started a new project? Fixed a tricky bug?

Andrew profile image
Got a Ph.D. looking for dark matter, but not finding any. Now I code full-time while training for a marathon and learning to drive a manual transmission. Je parle un peu français. dogs > cats

Sore eyes?

dev.to now has dark mode.

Go to the "misc" section of your settings and select night theme ❤️