Over half a billion users of the WinRAR file compression tool could be at risk of infecting their computers, thanks to a newly discovered flaw in the application.
An unpatched, critical remote code execution vulnerability within WinRAR's SFX archive features has been revealed by a researcher.
Reza Espargham from Vulnerability Lab discovered the bug and this was reproduced Pieter Arntz from Malwarebytes.
The flaw affects WinRAR SFX version 5.21, putting around 500 million users of the application at risk. The flaw enables hackers to remotely execute system code and compromise victim's machines.
According to the blog post, a remote attacker could create a compressed file and execute code on the victim's computer when the victim opens the infected compressed SFX archive.
The attack exploits the option to write HTML code in the text display window when creating a SFX archive.
“Thus results in a system-specific code execution when a target user or system is processing to open the compressed archive,” said Espargham.
The flaw has been deemed critical as the exploit needs little user interaction to work – just opening the file. Espargham rated the flaw with a common vulnerability scoring system count of 9.2.
The security researcher included a proof-of-concept exploit and believed that other versions of the application could also be at risk.
Arntz said the code needed “trivial” changes before his firm got the exploit to work, but he said that this may be down to a version conflict in Perl.
In an official statement, Rarlab, the firm behind WinRAR, said that “executable files are potentially dangerous by design”.
"We can say that limiting SFX module HTML functionality would hurt only those legitimate users who need all HTML features, making absolutely no problem for a malicious person, who can use previous version SFX modules, custom modules built from UnRAR source code, their own code or archived executables for their purpose. We can only remind users once again to run .exe files, either SFX archives or not, only if they are received from a trustworthy source,” said the firm.
Fraser Kyne, principal systems engineer at Bromium, told SCMagazineUK.com that any vulnerability that allows arbitrary code execution on a trusted device is a cause of real concern.
“The problem is that all software is prone to vulnerabilities – and the more software you run, the larger the codebase; hence the increased likelihood of vulnerabilities. This issue is even encountered with security software which itself can actually introduce security issues by introducing its own vulnerabilities (as proven recently in the media),” he said.
Gavin Millard, technical director at Tenable Network Security, told SC that it's not just email attachments malware authors could be eyeing as a potential use of this flaw.
“Movies and TV shows offered out on Bittorrent, the popular file-sharing protocol, could easily have malicious code bundled in with the download,” he said. “Unfortunately no patch is currently available so self extracting archive files received through any means should be opened with caution.”
Adam Schoeman, senior intelligence analyst at SecureData, told SC that the vulnerability would probably lead to a “significant increase in .rar and .zip phishing mails being sent out before the end of the day.
“It is likely to affect all versions of WinRAR in existence, an application that is seen as the default choice for compression applications on Windows,” he said.
"Install base aside, this is particularly bad news because WinRAR is often bundled in software packs like the CDs which come with a new motherboard or laptop, meaning there are probably a lot people out there using WinRAR without even knowing it,” he added.
"On top of all that, all an attacker needs to do is send a .zip or .rar file to a user and get them to open it. This is a pretty standard phishing tactic, which wouldn't normally require the user to execute a .exe file or exploit a vulnerability that can be patched.”
UPDATE: Malwarebytes has retracted its claims that the WinRaR product is vulnerable and apologized for jumping the gun by echoing reporting from a Full-Disclosure mailing list.