Is NewsLeecher also affected with the winrar security vulnerability?

Post your questions here if you need help to use NewsLeecher or if you have a question about a feature.

Post Reply
playbook
Posts: 2
Joined: Fri Feb 22, 2019 1:47 am

Is NewsLeecher also affected with the winrar security vulnerability?

Post by playbook » Fri Feb 22, 2019 1:57 am

Hello. I just learned that winrar has a 19 year old security vulnerability that allows hackers the ability automatically run code upon extraction of a .rar file.

As reported here https://research.checkpoint.com/extract ... om-winrar/

or via a less technical news story here http://worldlingnews.com/winrar-patched ... ulnerable/

My question, is NewsLeecher 7 also affected by this vulnerabilty?

How exactly does NewsLeecher automatically extract .rar files, does it use winrar that is installed on the PC, or does it use its own (non-winrar) tools?

I noticed there is a unrar.dll within the newsleecher install folder, is that what is used by Newsleecher to extract rar files?

If so does it share the same vulnerability discovered in winrar?

Thanks in advance for your answers.

psypher
Posts: 19
Joined: Sun Nov 18, 2007 11:03 pm

Re: Is NewsLeecher also affected with the winrar security vulnerability?

Post by psypher » Sun Mar 24, 2019 2:52 pm

Correction. It's just the main software UI from Winrar which handles ACE archives which is affected. NL just uses the library for RAR archives. So if you use the actual WinRAR software for other things, you should update it to the latest version, 5.70

playbook
Posts: 2
Joined: Fri Feb 22, 2019 1:47 am

Re: Is NewsLeecher also affected with the winrar security vulnerability?

Post by playbook » Mon Apr 01, 2019 6:52 am

psypher wrote:
Sun Mar 24, 2019 2:52 pm
Correction. It's just the main software UI from Winrar which handles ACE archives which is affected. NL just uses the library for RAR archives. So if you use the actual WinRAR software for other things, you should update it to the latest version, 5.70
Thanks for the info. I have already updated my copy of winrar to the latest patched version, my only worry was if newsleecher's independent rar archive library was also affected.

What happens If newsleecher auto extracts a .rar file that happens to contain a .ace file inside the .rar file, will it automatically (without request) also extract the .ace file? Or is the rar library alone (without UI) not capable of extracting . ace files, and thus it just leaves the .ace file alone in the extracted folder (and does not run it)?

Essentially this is the security vulnerability as i understand it; when a user extracts a .rar file, winrar would automatically extract any .ace file within it, even if it was not asked to do so.


Thanks for your response.

Who is online

Users browsing this forum: No registered users and 8 guests