A flaw in WinRAR puts millions at risk, the developers shrug it off

EDIT: As it turned out, RARLab was right, and Malwarebytes was wrong. In a recent turn of events, Malwarebytes recognized that this is not in fact a vulnerability as it requires too much user cooperation in order to work. The updated story can be found on this link.

Usually when a security firm finds a vulnerability in an app or a program, and notifies the developers, a patch is issued in a matter days, sometimes even hours.

Not when it comes to WinRAR. The guys over at RARLab have been reached out to by both Vulnerability Lab and Malwarebytes about a vulnerability which they say, on a danger scale of 1 to 10, is a 9.2.

They don't really buy the whole "vulnerability” story.

According to Vulnerability Lab and Malwarebytes, a victim could be infected by simply unzipping (or unrarring, I guess) a file. With people downloading a lot of compressed stuff every day, the two security firms agreed that more than 500 million users are at risk here.

Security researcher Mohammad Reza Espargham, who posted the proof-of-concept (PoC) and the manual steps needed to reproduce the attack, explained, “The code execution vulnerability can be exploited by remote attackers without privilege system user account or user interaction.”

RARLab renders all of this “useless”:

A “malicious hacker can take any executable, prepend it to archive and distribute to users. This fact alone makes discussing vulnerabilities in SFX archives useless,” RARLab wrote. “It is useless to search for supposed vulnerabilities in SFX module or to fix such vulnerabilities, because as any exe file, SFX archive is potentially dangerous for user's computer by design. As for any exe file, users must run SFX archives only if they are sure that such archive is received from a trustworthy source. SFX archive can silently run any exe file contained in archive and this is the official feature needed for software installers.”

What they’re basically saying is that any program can be created and compressed in a way that it installs automatically upon decompression.

“Limiting SFX module HTML functionality would hurt only those legitimate users, who need all HTML features, making absolutely no problem for a malicious person, who can use previous version SFX modules, custom modules built from UnRAR source code, their own code or archived executables for their purpose. We can only remind users once again to run exe files, either SFX archives or not, only if they are received from a trustworthy source.”

It doesn’t seem like we’re getting a patch.