Bitcoin Forum

Saw this post on reddit earlier: https://www.reddit.com/r/Bitcoin/comments/ayoz1k/hey_everybody_patch_your_winrar_or_lose_coins/

Long story short, there is an exploit in Winrar which allows an attacker to deploy a .exe file to your startup folder whenever you extract an archive, thereby automatically executing it next time you restart. This is obviously a massive risk to anyone who holds coins in a desktop wallet. You should update Winrar immediately to the latest version from here: https://www.rarlab.com/download.htm. Alternatively delete Winrar altogether and use 7zip instead (but don't be fooled in to thinking that any piece of software is completely safe). Edit: As NeuroticFish points out below, 7zip also had a security vulnerability discovered last year, so if you are currently using that, you should update it too.

And if you aren't already, use a hardware wallet.

I've used WinRAR like that for a number of years, but it didn't feel OK. Now I use 7zip. It's free and it's as good as WinRAR.


If you (we) advertise 7zip, it's fair to tell that 7zip also had a nasty vulnerability last year, so if anybody still has an ancient version of 7zip, that needs update too.

Thank you @o_e_l_e_o, I am actually using an old version of WinRar on my desktop together with my wallets so yes I am/was affected for sure.

I am out of merits right now but when I only get my first smerit he will fly your way as soon as possible.


If anybody wants to use WinRar legally the price excluding VAT is € 29,95 and this is a lifetime license.

I think it should be freeware especially for personal use, not shareware because of 7zip and other programs like this which are all gratis. Winrar is the only one paid in this group.

Thanks for the warning! I have given up on winrar a long time ago, using 7zip as a substitute. But, I haven't updated in a while, so again thanks for this information.

Is it not strange that hacker attacks are becoming in popular applications that we replicate frequently and trust them by default? "Metamask, MEGA,...etc"

Thank you, I'm using a very old version of that application and I have not updated it for a while.
I did not have a problem with that app but it's better to update it. Thanks for the warning

It's very concerning. The WinRAR exploit was from a .dll file which hadn't been updated in 14 years. WinRAR did not have access to this .dll file's source code, so they just had to drop it altogether in the latest update. It's kind of similar to the CoPay wallet hack last year, where someone was granted admin rights to a unmaintained dependency of the wallet, and the wallet then pulled in the malicious code. Even if you completely trust the writers of the program you are using, and even if you look at the code yourself, it becomes an impossible task to personally audit every dependency/file for every piece of software.

It makes a really good argument for hardware wallets.

Thanks for the heads up though my hardware wallet isn't connected to my desktop that have old winrar application so I think this is at least a relief for me.

How much will be the VAT? Is it depend on the country I'm residing?

Yes, this depends on the country You are actually residing @Crypto Girl and make the purchase from because you will be redirected to a proper page.

Additionally, I have info from Winrar page about license and program usage after 40 days of the free period.

Purchase of a WinRar license
After the forty-day trial period, you must uninstall WinRAR (Control Panel / Add or Remove Programs) or purchase a license that will allow you to continue to use WinRAR permanently and without restrictions. The WinRAR software license is for life. Prices and ordering options can be found on this page. Private individuals only need one license for all computers used in their own homes. With a single license, you can install and use the program on all computers belonging to the buyer.

You should buy a license because thanks to this:
-You are motivating us to continue working on WinRAR
-You can use WinRAR for commercial applications
-You have the right to access technical support via e-mail and WinRAR Service Centers around the world

The main licensing rules
-The license will be issued electronically, in the form of a key file, and the installation program is downloaded from the winrar website
-The WinRAR license will be issued by name in your name or company name.
-We can not change or return, cancel the license after purchase. Test WinRAR for 40 days free of charge before ordering. During the testing period, the program is fully usable and has no functional limitations.

This is so critical i can't stress this enough.
Im very suprised many security websites i tend to visit sometimes i checked and they didn't mention it yet.
Bitcoin community is first to alert people about this so fast.

Its potential implications are far wider reaching than stealing bitcoins as well. An .exe file dropped in a Windows start-up folder could achieve anything from stealing data, encrypting your hard drive and asking for a random, keylogging, you name it. With an estimated 500 million WinRAR users, and who knows how many archives being downloaded and extracted every day, it's only a matter of time before someone takes advantage of this exploit big style. I'm sure there will be many individuals, and quite a few companies, hit with an attack of some sort using this method.

The question is, if they are aware of the exploit, why have they not patched it and distributed the update? I have been using 7Zip and WinZip and WinRAR for years without noticing any strange behavior, but I have several AV software and Malware detection, running on my computers.

I also use several other OS like Tails and Linux for different uses, so one exploit in one software will never stop me from doing my thing. I also use Virtual machines for the testing of new software, to prevent critical infections.  ;D

7zip can open all file types, and can definitely make zip files, so there is zero reason to keep winzip and winrar. 7zip is free open source software, and that should be enough reason to give it priority.

In Linux other compression algorithms have now taken the spot, such as xz. I think 7zip can handle those too. There is 7z for Linux of course.

The latest versions of WinZip, WinRAR, and 7zip can all support .xz files.

I agree about swapping to 7zip, but with the caveat that I pointed out in my first post, and also by NeuroticFish above - open source doesn't automatically mean safe. Always be careful.

Thanks for the heads up! I'll update mine ASAP.

And for something like this to happen not long after the Chrome 0-day attack, just wow...

We should really be updating our winrar program asap if we intend to keep on using it. According to Bleeping Computer, there is already a Malspam running that exploits the rar vulnerability (see  Malspam Exploits WinRAR ACE Vulnerability to Install a Backdoor (https://www.bleepingcomputer.com/news/security/malspam-exploits-winrar-ace-vulnerability-to-install-a-backdoor/)).

The article depicts that a malspam campaign is distributing a malicious rar file, whose intent is to extract end-up connecting to a site and downloading various files amongst which is Cobalt Strike Beacon DLL, used by hackers to gain control to your computer …

Thank you very much o_e_l_e_o updated my Winrar but how could this Exploit stay undetected for 14 years.
Are there any other cases of this exploit having been used in the past?

Much the same way that the Electrum "error notification" exploit went undetected for so long... basically, no-one was looking for it, so no-one found it... The exploit wasn't in WinRAR itself, but in a bundled .DLL file for the ACE archiver, that the WinRAR devs did not have access to the source code for.

To make use of this exploit, you needed to craft a malicious .ace archive (which could be renamed to .rar) that abused the way the ACE archiver dealt with file paths. Essentially, you could trick the archiver into extracting files to ANY file path, regardless of what the user selected.

The implications of this are that you could then cause an arbitrary file to be extracted to the Windows "start-up" folder that would then be executed when the computer was next restarted...


As far as I'm aware, there are no known cases of this exploit having been used prior to the current "malspam" attack that was launched after the exploit became public and the exploit generator script was published on github.