Too bad their team is putting on the attitude of not caring or doing anything about this. ADDED: Maybe that's too harsh. I think a simple enable/disable option here would work.
So the flaw is that the SFX archive (in the form of an .exe file) can include malicious HTML script? Well it's an executable - it could have anything wrong with it. WinRAR are entirely correct that "patching" their software to disable the HTML feature when creating SFX archives won't change a thing. The HTML feature has legitimate purposes, and malicious authors can simply use older, "unpatched" versions of WinRAR to create malicious SFX archives. In fact they could create a malicious file without even using WinRAR and just dress it up to look like a valid SFX archive. What good will "patching" the WinRAR SFX creation software do? Frankly I don't understand why people put any faith in SFX archives, outside of those used in legitimate software installers. I treat them as suspicious, and even if I trust the source will extract them myself using a 3rd party utility like 7-Zip (EMET, software policy, outgoing connections blocked).
Not really, the whole thing is back to front. The vulnerability has nothing to do with opening a .RAR file in WinRAR - it's about SFX archives (.EXE) created in WinRAR. Malicious authors can continue to make malicious .EXE files regardless of what WinRAR's response is. Tech sites are parroting the line "500 million users at risk", purely based on the fact that there an estimated 500 million users of WinRAR. Frankly this is bizarre reasoning, and shows a lack of critical thought in tech writers. Being a user of WinRAR doesn't significantly increase the risk of receiving a malicious SFX archive created from WinRAR.
Some of the supposed tech writers uncritically parroting the "500 million users at risk" line: Charlie Osborne from http://www.zdnet.com/article/critical-winrar-vulnerability-places-500-million-users-at-risk/ Khyati Jain from http://thehackernews.com/2015/09/winrar-vulnerability.html Darlene Storm http://www.computerworld.com/articl...-risk-of-being-pwned-by-unzipping-a-file.html Rene Millman http://www.scmagazineuk.com/winrar-vulnerability-leaves-users-open-to-attack/article/441896/ Zeljka Zorz http://www.net-security.org/secworld.php?id=18914 Juha Saarinen http://www.itnews.com.au/news/up-to...ar-remote-code-execution-vulnerability-409904 Also lots of lesser sites.
It's quite ridiculous the reporting on this. This only applies to infected WinRAR SFX exe files, in which case, it doesn't matter what software is used to manage archives, as a SFX archive is completely self contained and does not use any external software. While WinRAR can be use to created malicious SFX files, you will not be infected by opening regular archive files.
Yes, and if you have followed reporting on computer security over the years, this type of "reasoning" is nothing new, really. By this reasoning, we can write an article: "1 Billion Users* at risk of compromise via MSWord" *source: https://www.quora.com/How-many-Microsoft-Office-users-are-there-worldwide **source: http://fossbytes.com/dangerous-breaking-bad-ransomware-is-completely-undetected-antivirus-products/ ---- rich
No it's not. But if you're downloading from legitimate sources, you should have nothing to worry about.
From the article referenced in the original post... "...Victims only have to open a booby-trapped file, which can be delivered easily via email, and the attack is executed successfully: the system is compromised..." Hello, but ANY malicious EXE FILE is executable, and will product the same results. If I can get you to run a malicious exe of any kind, why would I want to go to the extra trouble of making it about WinRAR? Did the idea for this come from WinZip? I have no more concern for this than I do for ANY potentially malicious exe file.
Thanks busy Glad you were not too busy to take the time to post that link. Appreciate it. Dunno what to think. Hard to believe that a Blog Post on Malwarebytes Official Security Blog would validate this exploit on a non fully updated Windows OS, unless he was using Windows XP. The original POC by Vulnerability Lab (whoever they are) was done on a Windows 7 OS. Yet WinRAR Labs claims the vulnerability was fixed for all Windows OS, except XP, in an November, 2014 Windows Update (MS14-064). [The author of the Malwarebytes Blog Post describes himself:"I’m a Microsoft MVP in consumer security and have been fighting malware for over a decade. My blog posts usually provide background information about malware, security and privacy." https://blog.malwarebytes.org/author/metallicamvp/
Ehh. The wife says this is no more than the requisite fear mongering tech sites generate these days. And I tend to agree.
Malwarebytes about WinRAR Vulnerability: https://blog.malwarebytes.org/news/2015/10/redaction-winrar-vulnerability/
^That's a way to gain respect. Good on Malwarebyes, even if it was easy to spot without an in-depth analysis. Thanks for the link @SK_Hendrik