The net is abuzz with news of a vulnerability uncovered in the popular WinRar software, potentially affecting over 500 million users worldwide. The vulnerability, which makes it possible for malicious code to be executed when opening self-extracting (SFX) ZIP or RAR files, was recently discovered by security researcher Mohammad Reza Espargham.
In summary; attackers can exploit the SFX vulnerability to execute code remotely on target machines by adding specially crafted HTML code via the software’s Text and Icon function.
Tech blogs have been quick to report this vulnerability, with some resorting to the usual sensationalism. For its part, Rarlab, the maker of WinRar, has responded with a very much “it’s all a fuss about nothing” approach. In a brief statement published online, Rarlab asserted that… “WinRAR self-extracting (SFX) archives are not less or more dangerous than other exe files“.
Essentially, Rarlab’s response makes the following points:
- Any executable is potentially dangerous, and especially so when received or downloaded from an unknown or untrusted source.
- Hackers can append malicious code to any SFX archive and then distribute same, it doesn’t necessarily have to be done through the WinRar software.
- Limiting WinRar’s HTML functionality would only hurt legitimate users while, for those with malicious intent, there are plenty of alternative avenues to achieve the same result.
All of which rings true. So, while Rarlab’s response might not be particularly empathetic, it does appear to be logical.
So, Should You be Concerned?
I am by no means an expert in security related matters but, on the other hand, it doesn’t take an Einstein to realize that these types of files, executables and especially self-extracting executables, are inherently risky anyway and should always be treated as such. Provided users apply the standard rule of thumb – i.e. unless received or downloaded from a known trusted source, these files should never be run outside of a sandbox or virtual environment, if at all – there doesn’t appear to be any particular need for alarm.