Skip to main content

The WinRAR flaw is not really a flaw, Malwarebytes apologizes

Security firm Malwarebytes recently unveiled a vulnerability in WinRAR, the popular compression program which, according to the firm, has put millions of its users at risk.

The program's developers, RARLab, shrugged it off saying it's not really a vulnerability. It turns out they were right, and Malwarebytes apologized for its mistakes (opens in new tab).

As it turns out this vulnerability is more an attack vector that only works with the users’ cooperation, Malwarebytes wrote. “The vulnerability was fixed by Microsoft in November of 2014.”

RARLab’s response to the matter was that without this patch, every software utilizing MS Internet Explorer components including Internet Explorer itself can be vulnerable.

“The entire attack is based on vulnerabilities in Windows OLE MS14-064 patched in November 2014. System installed the patch are safe. System without patch must install it. Without this patch every software utilizing MS Internet Explorer components including Internet Explorer itself can be vulnerable to specially crafted HTML page allowing code execution. WinRAR SFX module displays HTML in start dialog, so it is affected too, but components of Internet Explorer are used in a huge number of different tools, not just in WinRAR SFX archives,” it wrote.

Malwarebytes apologized for its mistakes, saying that it takes too much user cooperation to be considered malware.

“I would like to apologize to WinRar as this is not a vulnerability in their software. It takes too much user cooperation and even then it does not run the resulting code in an elevated manner.”

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.