A brief note for people who use unpackers like WinRAR and depend on the ACE format or can’t fix the discovered vulnerability (CVE-2018-20250) in UNACEV2.DLL. There is a micro-patch available to fix the vulnerability.
I reported about the vulnerability (CVE-2018-20250) in the file UNACEV2.DLL, which is used by several programs like WinRAR, in the blog post Vulnerababe UNACEV2.DLL puts software like WinRAR at risk. In WinRAR the developers have removed the library and will not offer ACE support in the new WinRAR version. The background is that the developers at RARLAB do not have the source code for the affected DLL. They have therefore decided to remove the DLL from their product.
However, there is a security problem with virus scanners or applications that have to unpack archives in ACE format. It is not possible to remove the DLL, but it is vulnerable under Windows. The people from 0patch e-mailed me this weekend:
I saw your article about the current WinRAR vulnerability related to ACE files and thought you might also be interested that although RARLAB doesn’t have the source code for the affected DLL and has therefore decided to remove it from its product, it is not possible to remove it from its product.
At 0patch, however, we have [closed] the vulnerability with a] micropatch. With this free micropatch, users who don’t want to update WinRAR or who don’t even know that there is a vulnerability can close the vulnerability so that it can no longer be exploited.
Of course, this also applies to all software that uses the DLL in question. Details about the facts and the micropatch can be found on this 0patch blog post.