WinRAR said it has patched a security hole that allows an attacker to extract malware anywhere on a user's hard drive. It is worth mentioning that this flaw has existed on WinRAR software for nearly 20 years.
The flaw was discovered by researchers at research firm Check Point Software Technologies, when they realized that WinRAR still supported the ACE storage format, which no longer exists. They later discovered that WinRAR still relies on an insecure DLL file and dates back to 2006.
In an article posted on the blog, the researchers explained how the security hole works. Specifically, they renamed the ACE file name to give it a RAR extension.
Now, any user can use WinRAR to extract malicious programs to the computer's startup folder. The program will then run automatically the next time the computer boots up.
After the researchers informed WinRAR of their findings, the company fixed the flaw with the software's version 5.70 beta 1. Instead of trying to fix the problem, WinRAR has completely removed support for the ACE repository, making this vulnerability no longer exploited.
It is still not clear whether any attacks have taken advantage of this security flaw for nearly two decades.
WinRAR also urges users to update their software to the latest version, to overcome the consequences that the old security hole may cause.