There is a gaping security hole that has yet to be patched on the popular file compression software, WinRAR. The vulnerability affects the latest version of the software.
The bug allows remote attackers to make a compressed self-extracting (SFX) archive file and execute code on a computer when it is opened through WinRAR. This is done through HTML code in the text display window when the file is created, as shown below:
There is currently no patch for this vulnerability so users of WinRAR 5.21 are are advised to exercise caution when opening SFX files from unknown sources and to download the patch as soon as it is made available through WinRAR.
[Via Malware Bytes]
Comments
12 responses to “WinRAR Security Vulnerability Still Waiting For A Patch”
Or just use 7-zip
People….. actually use winrar? wat. I’m sorry, are you from the past?
@bigtbafe – nice IT Crowd quote 🙂
Logged in just to troll – “1997 called and they want their files unzipped”
Edited to add to troll “WinRAR security vulnerability affecting its 17 of it’s 82 users”
PeaZip works well for me. I haven’t used WinRAR for yonks.
Guys… I still use WinRAR… *runs and hides*
Me too
I use WInRAR. 7 Zip’s UI is utter arse. Having said that I do not run self executing archives from anyone, trusted or not.
Agreed, 7Zip’s interface is rubbish. WinRAR is intuitive and easy to use. Runs fast, opens everything. Been using it for AGES and still love it. Don’t understand the WinRAR hate 🙁
Why all the hate for WinRAR?
I use both WinRAR and 7-ZIP. Purely because WinRAR offers a recovery record feature while 7-ZIP (because of the design of the compressor) can’t offer such a feature.
So if it’s important, WinRAR still has its uses thanks to the recovery record which improves the chances of getting most or all of the archive out if there is corruption.
Imagine if the security update was only available for the paid version.
Our developer posted a statement to this article, please see here: http://www.rarlab.com/vuln_sfx_html.htm
Executable files are potentially dangerous by design. Run them only if they are received from a trustworthy source. WinRAR self-extracting (SFX) archives are not less or more dangerous than other exe files.
Description
As reported by http://www.vulnerability-lab.com/get_content.php?id=1608, it is possible to create SFX archive with a specially crafted HTML text, which will download and run an arbitrary executable on a user computer. Let’s see if it creates any additional risks for users.
WinRAR self-extracting archive is an executable file.
User is not able to easily verify if executable part is a genuine WinRAR SFX module or some other code, so any malicious code can be included immediately to executable module of SFX archive. Malicious hacker can take any executable, prepend it to archive and distribute to users. This fact alone makes discussing vulnerabilities in SFX archives useless.
Also SFX module provides the official documented function to run any executable file contained in SFX archive on a user computer, so there is no need to implement hackish ways to achieve the same. This can be done with “Setup” script command or its “Setup program/Run after extraction” WinRAR GUI equivalent. “Silent” script command or its “Silent mode/Hide start dialog” WinRAR GUI equivalent allow to skip the start dialog, so an archived executable will be started immediately, without user intervention. “Overwrite” script command helps to avoid the overwrite prompt in case an extracted file already exists. “Path” command specifies a name of folder in “Program Files” to store unpacked files.
It is useless to search for supposed vulnerabilities in SFX module or to fix such vulnerabilities, because as any exe file, SFX archive is potentially dangerous for user’s computer by design. As for any exe file, users must run SFX archives only if they are sure that such archive is received from a trustworthy source. SFX archive can silently run any exe file contained in archive and this is the official feature needed for software installers.
In other words, instead of that complicated proof of concept video mentioned in the report linked above, it would be simpler to place putty.exe into RAR SFX archive and add following commands to archive comment:
Setup=putty.exe
Silent
Overwrite
Path=puttyfolder
If downloading from Internet is preferred, a tool to download and run an executable from the net can be also specified in “Setup” command.
Taking all this into account, we can say that limiting SFX module HTML functionality would hurt only those legitimate users, who need all HTML features, making absolutely no problem for a malicious person, who can use previous version SFX modules, custom modules built from UnRAR source code, their own code or archived executables for their purpose. We can only remind users once again to run exe files, either SFX archives or not, only if they are received from a trustworthy source.
It applies only to sfx files which are basically an archive combined with a program to decompress it. They are an executable, they have have an .exe extension.
So you’re saying that running an executable from an unknown source is potentially dangerous? No shit.
This is not a winrar security vulnerability. This is a vulnerability inherent to executables.
PeaZip here, previously 7-Zip, previously Winrar. Once you go open source you never look back in anger.