When it was reported last year that WinRAR had an unpatched security flaw, everyone (including us) was quick to pounce. Few however seem to have noticed that WinRAR wasn’t at fault — there’s nothing wrong with the archiver. In fact, old favourite Windows was to blame and even then, the problem was fixed back in 2014.
The source of the WinRAR “flaw” was actually an issue with Windows’ Object Linking and Embedding (OLE) functionality. As WinRAR’s own patch notes explain, because the problem lies with Microsoft, there isn’t anything for developer RARLAB to patch:
Information about the critical vulnerability in WinRAR self-extracting archives published in news in September and October 2015 is incorrect. Unfortunately mass media failed to recognize that what was described as WinRAR vulnerability is Windows OLE vulnerability patched in November 2014.
Even Malwarebytes posted a retraction once its own testing revealed WinRAR wasn’t at fault:
We have been in communication with WinRAR and performing our own in-depth analysis of the threat to identify that what we described in our post was simply a new attack vector that could mask itself as any executable.
Users of WinRAR have nothing to worry about as they are not being targeted nor is the WinRAR product itself malicious or allowing malicious files to be run on the system. We have since removed our post on the subject.
While WinRAR may have been eclipsed by the likes of 7-Zip over the years, the application and its developer shouldn’t be lynched for something it isn’t responsible for.
On top of this, if you haven’t updated your operating system for two years and regularly open random executables from the internet, don’t act surprised when your system is compromised.
So, apologies to RARLAB for jumping the gun.