According to a user on the Bitcoin subreddit, there is an exploit on a common version of WinRAR that enables the potential theft of coins. The bug, which allowed executable code to be inserted on a system after opening a RAR file, has apparently existed…
According to a user on the Bitcoin subreddit, there is an exploit on a common version of WinRAR that enables the potential theft of coins. The bug, which allowed executable code to be inserted on a system after opening a RAR file, has apparently existed for 14 years but is only recently coming to light. Now that it’s common knowledge, exploits are likely to be written for unpatched systems.
Updating WinRAR to the latest version (from an official source) will patch the problem. But WinRAR is one of the most common pieces of software out there, with an estimated 500 million users.
The user writes:
“Here is how it works. You open the wrong rar file with an unpatched version of winrar and a payload is dropped in to your windows startup folder. Which means on reboot you will load up an exe. And nobody ever updates their winrar. […] So there are probably at least a 100 million computers with an unpatched version of winrar on it.”
Enabling the execution of code means that something designed to circumvent or steal the contents of Bitcoin wallets could pretty easily proliferate. Bitcoin shouldn’t be used on general purpose computers in the first place. If it is, anti-virus software is a must. It all depends on what you’re willing to risk. Some people only store their coins in “cold” (offline) wallets. Others only use hardware wallets.
The bug is a result of a library that WinRAR relies upon to process ACE archive files. The most obvious execution method would require an escalation of WinRAR’s privileges. So the researchers who discovered the bug figured out a way to execute with typical privileges by moving the exploit around on the hard drive. WinRAR has decided to no longer support ACE files.
“WinRAR has always been known for its wide support of all popular compression formats. […] Since UNACEV2.DLL had not been updated since 2005 and access to its source code is not available, the decision was made to drop ACE archive support starting with WinRAR 5.70. Now, after the launch of the final and stable version of WinRAR 5.70, upgrading immediately to the new 5.70 version is highly recommended.”
The episode underlines a consistent problem with crypto security: we are only as secure as the environments we operate in. Windows is historically the least secure but most popular operating system. Good security practices are crucial if one is attempting to store any significant amount of cryptocurrency. Unlike a previous era where hacks and exploits might at most be an annoyance, the age of crypto means that attackers have a direct financial incentive to compromise any aspect of an operating environment.
Last modified: January 10, 2020 2:44 PM UTC