500 million users at risk of compromise via unpatched WinRAR bug

Discussion in 'other security issues & news' started by ronjor, Sep 30, 2015.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,052
    Location:
    Texas
    http://www.net-security.org/secworld.php?id=18914
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,052
    Location:
    Texas
  3. Keatah

    Keatah Registered Member

    Joined:
    Jan 13, 2011
    Posts:
    1,029
    Too bad their team is putting on the attitude of not caring or doing anything about this.

    ADDED: Maybe that's too harsh. I think a simple enable/disable option here would work.
     
    Last edited: Oct 1, 2015
  4. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    So the flaw is that the SFX archive (in the form of an .exe file) can include malicious HTML script? Well it's an executable - it could have anything wrong with it.

    WinRAR are entirely correct that "patching" their software to disable the HTML feature when creating SFX archives won't change a thing. The HTML feature has legitimate purposes, and malicious authors can simply use older, "unpatched" versions of WinRAR to create malicious SFX archives. In fact they could create a malicious file without even using WinRAR and just dress it up to look like a valid SFX archive. What good will "patching" the WinRAR SFX creation software do?

    Frankly I don't understand why people put any faith in SFX archives, outside of those used in legitimate software installers. I treat them as suspicious, and even if I trust the source will extract them myself using a 3rd party utility like 7-Zip (EMET, software policy, outgoing connections blocked).
     
  5. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    Not really, the whole thing is back to front. The vulnerability has nothing to do with opening a .RAR file in WinRAR - it's about SFX archives (.EXE) created in WinRAR. Malicious authors can continue to make malicious .EXE files regardless of what WinRAR's response is.

    Tech sites are parroting the line "500 million users at risk", purely based on the fact that there an estimated 500 million users of WinRAR. Frankly this is bizarre reasoning, and shows a lack of critical thought in tech writers.

    Being a user of WinRAR doesn't significantly increase the risk of receiving a malicious SFX archive created from WinRAR.
     
  6. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
  7. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,627
    It's quite ridiculous the reporting on this. This only applies to infected WinRAR SFX exe files, in which case, it doesn't matter what software is used to manage archives, as a SFX archive is completely self contained and does not use any external software. While WinRAR can be use to created malicious SFX files, you will not be infected by opening regular archive files.
     
  8. Keatah

    Keatah Registered Member

    Joined:
    Jan 13, 2011
    Posts:
    1,029
    Thanks for the clarification. I've been using WinRAR for ages!
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Yes, and if you have followed reporting on computer security over the years, this type of "reasoning" is nothing new, really.
    By this reasoning, we can write an article:

    "1 Billion Users* at risk of compromise via MSWord"
    *source: https://www.quora.com/How-many-Microsoft-Office-users-are-there-worldwide

    **source: http://fossbytes.com/dangerous-breaking-bad-ransomware-is-completely-undetected-antivirus-products/

    ----
    rich
     
    Last edited: Oct 2, 2015
  10. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    Is a SFX archive (.EXE) labeled as such? Is it a simple thing to identify such a file ?
     
  11. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,627
    No it's not. But if you're downloading from legitimate sources, you should have nothing to worry about.
     
  12. constantine76

    constantine76 Registered Member

    Joined:
    Dec 18, 2010
    Posts:
    191
    -- That maybe a good tip for those wary of SFX archives. Very nice.
     
  13. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    From the article referenced in the original post...
    "...Victims only have to open a booby-trapped file, which can be delivered easily via email, and the attack is executed successfully: the system is compromised..."
    Hello, but ANY malicious EXE FILE is executable, and will product the same results. If I can get you to run a malicious exe of any kind, why would I want to go to the extra trouble of making it about WinRAR? Did the idea for this come from WinZip? I have no more concern for this than I do for ANY potentially malicious exe file.
     
  14. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    Damn. Been using WinRAR forever :-(
     
  15. busy

    busy Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    413
  16. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    Thanks busy :) Glad you were not too busy to take the time to post that link. Appreciate it.

    Dunno what to think. Hard to believe that a Blog Post on Malwarebytes Official Security Blog would validate this exploit on a non fully updated Windows OS, unless he was using Windows XP. The original POC by Vulnerability Lab (whoever they are) was done on a Windows 7 OS. Yet WinRAR Labs claims the vulnerability was fixed for all Windows OS, except XP, in an November, 2014 Windows Update (MS14-064). [The author of the Malwarebytes Blog Post describes himself:"I’m a Microsoft MVP in consumer security and have been fighting malware for over a decade. My blog posts usually provide background information about malware, security and privacy." https://blog.malwarebytes.org/author/metallicamvp/
     
    Last edited: Oct 5, 2015
  17. Keatah

    Keatah Registered Member

    Joined:
    Jan 13, 2011
    Posts:
    1,029
    Ehh. The wife says this is no more than the requisite fear mongering tech sites generate these days. And I tend to agree.
     
  18. SK_Hendrik

    SK_Hendrik Registered Member

    Joined:
    Dec 31, 2014
    Posts:
    8
  19. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    ^That's a way to gain respect. Good on Malwarebyes, even if it was easy to spot without an in-depth analysis. Thanks for the link @SK_Hendrik
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.