WinRAR Exploit Could Put 500 Million Users at Risk – Yet to be Patched

Rafia Shaikh

Researchers have discovered a zero-day vulnerability in WinRAR that could put over 500 million users of the software at risk.

WinRAR vulnerability remains unpatched:

A critical vulnerability in WinRAR, a popular file archiver and compressor utility for Windows, is discovered by Mohammad Reza Espargham, a security research at the Vulnerability Lab. According to Espargham's research, this zero-day WinRAR vulnerability can be easily exploited by remote attackers to compromise a Windows machine on which it is installed. This exploit could potentially affect over millions of users worldwide, as it is one of the most popular utility programs for compressing and decompressing files.

The stable version of WinRAR 5.21 for Windows is vulnerable to remote code execution (RCE) flaw. The flaw can be used by an attacker to insert a malicious HTML code inside the "Text to display in SFX window" section when the user is creating a new SFX file. WinRAR SFX is an executable compressed file type containing one or more files, capable of extracting its own contents. "The issue is located in the 'Text and Icon' function of the 'Text to display in SFX window' module," Vulnerability-Lab explained. "Remote attackers are able to generate own compressed archives with malicious payloads to execute system specific codes for compromise."

As soon as the user clicks on a compromised SFX file, it starts functioning giving users no room to identify or verify if the compressed executable file is a genuine WinRAR SFX module or a compromised one. Requiring low user interaction without privilege system or restricted user accounts, successful exploitation of this vulnerability could compromise a user's machine and network. All that is needed for it to work is a victim to open the booby-trapped file. The vulnerability has been tagged as "High Severity" and is yet to be patched.

While we receive any patch for this exploit, users are advised not to click on files received from unknown sources and use other trusted software for their archiving / compressing requirements. The WinRAR developer team suggests,  “for any exe file, users must run SFX archives only if they are sure that such archive is received from a trustworthy source. SFX archive can silently run any exe file contained in an archive, and this is the official feature needed for software installers."

Vulnerability Lab researcher Espargham has also published a proof-of-concept video of the WinRAR exploit. Here is the POC video:

For more technical details, refer to Vulnerability Lab.

Share this story

Deal of the Day