500 Million Users At Risk of Compromise Via Unpatched WinRAR Bug

An anonymous reader writes: A critical vulnerability has been found in the latest version of WinRAR, the popular file archiver and compressor utility for Windows, and can be exploited by remote attackers to compromise a machine on which the software is installed. "The issue is located in the 'Text and Icon' function of the 'Text to display in SFX window' module," Vulnerability Lab explained in a post on on the Full Disclosure mailing list. "Remote attackers are able to generate own compressed archives with malicious payloads to execute system specific codes for compromise."

Huh?

[gstoddart]

I must admit some of these security exploits elude me a little, but I've read both of TFAs, and I guess my question is "what the heck is this SFX window and what's it for"?

Why the heck is an archiving program executing arbitrary code in the first place? That's crazy.