Editing WinRAR (section)

==Security==
In February 2019, a major security vulnerability in the unacev2.dll library which is used by WinRAR to decompress [[ACE (compressed file format)|ACE]] archives was discovered.<ref>{{Cite web|url=https://research.checkpoint.com/extracting-code-execution-from-winrar/|title=Extracting a 19 Year Old Code Execution from WinRAR|date=2019-02-20|website=Check Point Research|language=en-US|access-date=2019-03-13}}</ref><ref>{{Cite web|url=https://www.securityfocus.com/bid/106948|title=WinRAR Multiple Security Vulnerabilities|website=www.securityfocus.com|access-date=2019-03-13}}</ref> Consequently, WinRAR dropped the support for the ACE format from version 5.70.

Self-extracting archives created with versions before 5.31 (including the executable installer of WinRAR itself) are vulnerable to [[DLL hijacking]]: they may load and use DLLs named UXTheme.dll, RichEd32.dll and RichEd20.dll if they are in the same folder as the executable file.<ref name="releases" /><ref>{{cite web|last1=Kanthak|first1=Stefan|title=Executable installers are vulnerable^WEVIL (case 25): WinRAR's installer and self-extractors allow arbitrary (remote) code execution and escalation of privilege|url=http://seclists.org/fulldisclosure/2016/Feb/58|website=SecLists.org|date=7 February 2016|access-date=2016-02-20|archive-url=https://web.archive.org/web/20160218030636/http://seclists.org/fulldisclosure/2016/Feb/58|archive-date=2016-02-18|url-status=live}}</ref>

It was widely reported that WinRAR v5.21 and earlier had a [[remote code execution]] (RCE) vulnerability which could allow a remote attacker to insert malicious code into a self-extracting executable (SFX) file being created by a user, "putting over 500 million users of the software at risk".<ref>{{cite web |url=https://wccftech.com/winrar-exploit-could-put-500-million-users-at-risk/ |title=WinRAR Exploit Could Put 500 Million Users at Risk |newspaper=Wccftech.com |date=September 2015 |author=Shaikh Rafia |access-date=29 September 2016 |archive-url=https://web.archive.org/web/20161001192221/http://wccftech.com/winrar-exploit-could-put-500-million-users-at-risk/ |archive-date=2016-10-01 |url-status=live }}</ref> However, examination of the claim revealed that, while the vulnerability existed, the result was merely an SFX which delivered its payload when executed; published responses dismissed the threat, one saying "If you can find suckers who will trust a .exe labelled as self-extracting archive ... then you can trick them into running your smuggled JavaScript".<ref>{{cite web |url=https://www.theregister.co.uk/2015/09/30/500m_winrar_users_open_to_remote_code_execution_zero_day/ |title=Smuggle mischievous JavaScript into WinRAR archives? Sure, why not |newspaper=The Register |date=30 September 2015 |author=Darren Pauli |access-date=29 September 2016 |archive-url=https://web.archive.org/web/20160927083336/http://www.theregister.co.uk/2015/09/30/500m_winrar_users_open_to_remote_code_execution_zero_day/ |archive-date=2016-09-27 |url-status=live }}</ref><ref>{{cite web |url=http://www.darknet.org.uk/2015/10/winrar-vulnerability-is-complete-bullshit/ |title=WinRAR Vulnerability Is Complete Bullshit |website=Darknet |date=1 October 2015 |access-date=29 September 2016 |archive-url=https://web.archive.org/web/20161002151612/http://www.darknet.org.uk/2015/10/winrar-vulnerability-is-complete-bullshit/ |archive-date=2016-10-02 |url-status=live }}</ref>

WinRAR 6.23 fixes a critical security vulnerability which allowed the hacker to automatically execute malware distributed in archives under some circumstances.<ref>{{Cite web |last=Goodin |first=Dan |date=2023-08-23 |title=WinRAR 0-day that uses poisoned JPG and TXT files under exploit since April |url=https://arstechnica.com/security/2023/08/winrar-0-day-that-uses-poisoned-jpg-and-txt-files-under-exploit-since-april/ |access-date=2023-08-23 |website=Ars Technica |language=en-us}}</ref>