Tech News Center
CBU TECH MINUTE Samsung announced a plethora of new products at its Unpacked event in San Francisco this week, so you can imagine what’s being discussed on today’s Vergecast. The much-anticipated Fortnite World Cup is finally happening this summer — and there’s going to be a lot of money up for grabs. Developer Epic detailed the upcoming e-sports event, which will culminate in a final tournament at an undisclosed location in New York from July 26th to the 28th. Photoshopping a meme is easy. But hunting through thrift stores, finding the perfect action figure to Frankenstein with another toy, designing and packaging it into a slightly off but believable product, and sneaking it onto a store shelf takes a little bit more work. Since 2015, Jeff Wysaski has been making fake signs and toys and leaving them out in the real world for people to find. Two-factor authentication is a good way to add an extra layer of security to online accounts. It requires the use of your smartphone, however, which is not only inconvenient, but it can be a problem if your phone is lost or breached. Hardware security keys can offer an extra layer of security to password-protected online accounts and, in turn, your identity. Security keys connect to your system using USB-A, USB-C, or Bluetooth, and they are small enough to be carried on a keychain (with the exception of Yubico’s USB-C nano key, which is so small that it’s safest when kept in your computer’s USB port).

Warning: Critical WinRAR Flaw Affects All Versions Released In Last 19 Years
February 21, 2019

Beware Windows users... a new dangerous remote code execution vulnerability has been discovered in the WinRAR software, affecting hundreds of millions of users worldwide.

Cybersecurity researchers at Check Point have disclosed technical details of a critical vulnerability in WinRAR, a popular Windows file compression application with 500 million users worldwide, that affects all versions of the software released in last 19 years. The flaw resides in the way an old third-party library, called UNACEV2.DLL, used by the software handled the extraction of files compressed in ACE data compression archive file format. However, since WinRAR detects the format by the content of the file and not by the extension, attackers can merely change the .ace extension to .rar extension to make it look normal.

According to researchers, they found an "Absolute Path Traversal" bug in the library that could be leveraged to execute arbitrary code on a targeted system attempting to uncompress a maliciously-crafted file archive using the vulnerable versions of the software.

The path traversal flaw allows attackers to extract compressed files to a folder of their choice rather than the folder chosen by the user, leaving an opportunity to drop malicious code into Windows Startup folder where it would automatically run on the next reboot.

As shown by researchers, to take full control over the targeted computers, all an attacker needs to do is convince users into just opening a maliciously crafted, compressed archive file using WinRAR.

Update WinRAR

Since the WinRAR team had lost source code of the UNACEV2.dll library in 2005, it decided to drop UNACEV2.dll from their package to fix the issue and released WINRar version 5.70 beta 1 that doesn\'t support the ACE format.

Windows users are advised to install the latest version of WinRAR as soon as possible and avoid opening files received from unknown sources.