It’s unclear how many users are affected by the exploit, though WinRAR proudly claims 500 million users on its site. Best be careful with the archives you open.
Advertisement
The flaw was discovered by Iranian researcher Mohammad Reza Espargham of Vulnerability Lab, who posted his findings on Full Disclosure.
A file by the name of WinRAR 5FX v5.21 was recently seeded on the internet that gives users the ability to exploit the computer. “The vulnerability allows remote attackers to unauthorized execute system specific code to compromise [sic] a target system”, explained Espargham.
Additionally, the statement continued, cybercriminals are able to take an executable file and “prepend it to archive and distribute to users”. A victim could receive a legit-looking archive (or even an empty one) that silently sets up an exploit in the background or steals data when it’s executed. Espargham rated the flaw with a common vulnerability scoring system count of 9.2. “This fact alone makes discussing vulnerabilities in SFX archives useless”, RARLab wrote. The developer says a self-executing archive is an executable in itself (something that requires careful handling to begin with). It would be as easy for attackers to bundle a malicious executable instead of using the SFX archive. The exploitation is led by execution of a malicious code when the 5FX archive file is run, writing an HTML code in a text display window when it creates the file. “It is useless to search for supposed vulnerabilities in SFX module or to fix such vulnerabilities, because as any exe file, SFX archive is potentially unsafe for user’s computer by design. We can only remind users once again to run.exe files, either SFX archives or not, only if they are received from a trustworthy source”.
“It is likely to affect all versions of WinRAR in existence, an application that is seen as the default choice for compression applications on Windows”, he said. Because all that’s required to execute the attack is the victim opening the file, this vulnerability is considered critical.
Advertisement
While we receive any patch for this exploit, users are advised not to click on files received from unknown sources and use other trusted software for their archiving / compressing requirements.
