Software experts explain why a WinRar bug remained undetected for 19 years

Last month, WinRar patched a 19-year-old bug that allowed hackers to execute arbitrary code on a targeted system.

The security flaw, which could have potentially impacted 500m users, was discovered by researchers at Check Point.

Researchers said the flaw allowed hackers to extract a compressed executable file from the ACE archive, which automatically runs in the Windows machine when rebooted.

Before the update, WinRar was using a third-party tool to unzip ACE files which had not been updated since 2005.

WinRar responded to Check Point’s report by issuing a 5.70 1 update to fix the vulnerability, but didn’t release a statement about why the bug went undetected for such a long time.

Third-party package

In an emailed statement, Eran Kinsbruner, director, lead software evangelist at Perfecto, said: “Unfortunately, this can happen when a legacy app uses and depends on a third-party package or library that is owned and maintained by another company.

“The bug can go undetected or ignored because the main app vendor (in this case, WinRar), can be left with no visibility into processes, lifecycle, software delivery schedule (and more), and less control of features such as security,“ he added.

To help prevent these sort of situations, companies should request security audits to identify security vulnerabilities and other issues, Kinsbruner said.

“Companies in this situation should request security audits and testing to guarantee high quality and security prior to embedding this software into their products.”

DevSecOps

Paul Farrington, EMEA CTO at Veracode, said the emergence of DevSecOps is also providing evidence that frequent scanning can cut down on the amount of time known vulnerabilities exist without being fixed.

According to Farrington, some organisations have recognised that embedding security design and testing directly into the continuous software delivery cycle is essential to achieving the DevSecOps principles of balance of speed, flexibility, and risk management.

“Until now, it’s been challenging to pinpoint the benefits of this approach, but our latest State of Software Security report provides hard evidence indicating organisations with more frequent scans are fixing flaws more quickly,” he said.

“Our data on flaw persistence shows organisations with established DevSecOps programs and practices greatly outperform their peers in how quickly they address flaws. The report found that organisations which implement DevSecOps are able to address flaws more than ten times faster.

“However, it takes time to fix security flaws. The report showed that 25% of flaws were fixed within 21 days, but the final 25 percent remained open, well after a year of discovery. Developers simply can’t wave a magic wand over the portfolio to fix them in an instant, or even a week, or a month. In addition, many other factors come into play – product release cycles, quality assessment, and business criticality of applications – which change the rate at which certain vulnerabilities are fixed.”

, , ,

Related Posts

Menu