Slashdot Mirror

← Back to Stories (view on slashdot.org)

500 Million Users At Risk of Compromise Via Unpatched WinRAR Bug

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes: A critical vulnerability has been found in the latest version of WinRAR, the popular file archiver and compressor utility for Windows, and can be exploited by remote attackers to compromise a machine on which the software is installed. "The issue is located in the 'Text and Icon' function of the 'Text to display in SFX window' module," Vulnerability Lab explained in a post on on the Full Disclosure mailing list. "Remote attackers are able to generate own compressed archives with malicious payloads to execute system specific codes for compromise."

11 of 129 comments (clear)

  1. Click-bait BS by pegr · · Score: 5, Insightful

    So a self-extracting RAR can be rigged to exploit your machine. A self-extracting RAR is an executable. So a executable from an untrusted source can exploit your box. Wake me when you have a real vulnerability.

    Oh, and samzenpus, that was the most clickbait bullshit Slashdot headline in months. You should be horsewhipped.

    1. Re:Click-bait BS by gstoddart · · Score: 2

      Oh, I don't know ... it's a real vulnerability, dated Monday, and rated as a 9 (I assume out of 10) ... in terms of being an actual thing and showing up in a timely manner, I'm not sure I'd call it clickbait.

      Now, anything Nerval's Lobster posts which links to Dice? That I'd call clickbait.

      --
      Lost at C:>. Found at C.
    2. Re:Click-bait BS by tlhIngan · · Score: 4, Insightful

      So a self-extracting RAR can be rigged to exploit your machine. A self-extracting RAR is an executable. So a executable from an untrusted source can exploit your box. Wake me when you have a real vulnerability.

      Actually, the problem is NOT the executable. The SFX part is NOT compromised at all. It's completely legitimate standard WinRAR SFX.

      However, the bug is that there's a buffer overflow in the SFX program - you can give it a malicious HTML file that cause it to execute code.

      The deal is that all a malicious user has to do is inject their file into a RAR archive and set a flag to have the SFX program show it as part of the SFX process. The SFX stub will check clean by all anti-virus because it's the same SFX stub as what WinRAR ships with.

      It's entirely possible that you cannot detect this - if the archive is password protected, for example, so you can't detect the bad HTML file at all. And the SFX will still check clean, but really infect your PC.

      The only workaround is to use WinRAR itself to open the SFX

  2. Re:WinRAR by mrchaotica · · Score: 5, Informative

    On the contrary; WinRAR sucks because it isn't open source. Instead, it's proprietary, spammy nag-ware.

    7Zip, the actual open source competitor to WinRAR, is much better.

    --

    "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

  3. Re:Huh? by gstoddart · · Score: 5, Funny

    You open first link, and you view the youtube video

    No way, opening links and viewing youtube videos is how you get exploited in the first place ... and it's sinful and could lead to dancing.

    --
    Lost at C:>. Found at C.
  4. Re:WinRAR by Ravaldy · · Score: 2

    On the contrary; WinRAR sucks because it isn't open source

    That's a bold statement because it goes either way. There are open source products that are better just because they are free and some are better because they simply are better. There are commercial products out there that outweigh open source products just because they have large teams with the right expertise and money to keep it going forward.

    7Zip, the actual open source competitor to WinRAR, is much better

    7Zip is better in many ways. Lightweight is the one major thing it has on WinRAR.

    7Zip would have the same issues if it offered a self extracting option.

  5. Re:Can we finally admit WinRAR is terrible? by SQLGuru · · Score: 2

    I don't even bother with 7z format because modern OSs support ZIP out of the box. I only install 7-zip for slightly better interface than the one built in to the OS, but I know that anyone I send the file to can read the file.

  6. Re:Huh? by sexconker · · Score: 2

    SFX refers to the self-extractor piece.
    It lets you compress a bunch o' shit, then package it as an executable file.
    The executable contains the compressed shit, the decompression algorithm, and a short script about where to unpack shit to, what to title the SFX window, etc.

    Run the executable and your 8 MB download turns into a 25 MB folder with shit in it.
    People distribute self-extractors because you don't need to rely on them having WinRAR installed, don't need to rely on them knowing where to put the files, etc.

  7. Re:WinRAR by GameboyRMH · · Score: 2

    Came here to say this.

    If you make .rar files, you're part of the problem.

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  8. Re:Huh? by thechemic · · Score: 2

    For years I have always renamed the archivefile.exe to archivefile.rar. This prevents it from running as an executable, and WinRAR opens it just fine. Trusting any archive file SFX is sinful indeed.

    --
    Let's make like a bird... and get the flock outta here.
  9. Re:Huh? by Gary+Perkins · · Score: 2

    Parent isn't creating the executables, he's downloading them from "untrusted sources" and doing the (admirably) paranoid thing by opening them with WinRAR rather than trusting the executable.