Skip to main content

A flaw in WinRAR puts millions at risk, the developers shrug it off

EDIT: As it turned out, RARLab was right, and Malwarebytes was wrong. In a recent turn of events, Malwarebytes recognized that this is not in fact a vulnerability as it requires too much user cooperation in order to work. The updated story can be found on this link.

Usually when a security firm finds a vulnerability in an app or a program, and notifies the developers, a patch is issued in a matter days, sometimes even hours.

Not when it comes to WinRAR. The guys over at RARLab have been reached out to by both Vulnerability Lab and Malwarebytes about a vulnerability (opens in new tab) which they say, on a danger scale of 1 to 10, is a 9.2.

They don't really buy the whole "vulnerability” story.

According to Vulnerability Lab and Malwarebytes, a victim could be infected by simply unzipping (or unrarring, I guess) a file. With people downloading a lot of compressed stuff every day, the two security firms agreed that more than 500 million users are at risk here.

Security researcher Mohammad Reza Espargham, who posted the proof-of-concept (PoC) and the manual steps needed to reproduce the attack, explained, “The code execution vulnerability can be exploited by remote attackers without privilege system user account or user interaction.”

RARLab renders all of this “useless”:

A “malicious hacker can take any executable, prepend it to archive and distribute to users. This fact alone makes discussing vulnerabilities in SFX archives useless,” RARLab wrote. “It is useless to search for supposed vulnerabilities in SFX module or to fix such vulnerabilities, because as any exe file, SFX archive is potentially dangerous for user's computer by design. As for any exe file, users must run SFX archives only if they are sure that such archive is received from a trustworthy source. SFX archive can silently run any exe file contained in archive and this is the official feature needed for software installers.”

What they’re basically saying is that any program can be created and compressed in a way that it installs automatically upon decompression.

“Limiting SFX module HTML functionality would hurt only those legitimate users, who need all HTML features, making absolutely no problem for a malicious person, who can use previous version SFX modules, custom modules built from UnRAR source code, their own code or archived executables for their purpose. We can only remind users once again to run exe files, either SFX archives or not, only if they are received from a trustworthy source.”

It doesn’t seem like we’re getting a patch.

Sead Fadilpašić
Sead Fadilpašić

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.