Now Reading
WinRAR victim of false allegations about vulnerabilities affecting their software
0

WinRAR victim of false allegations about vulnerabilities affecting their software

by FileCriticOctober 6, 2015

Recently WinRAR (RARLab)  has been victim of false accusations from some mainstream Technology and Media websites that probably did not understand what’s going on.

Alleged WinRAR vulnerabilities like “SFX archive vulnerability”, “WinRAR zero day exploit”, “Mohammad-Reza-Espargham Full Disclosure” or “WinRAR’s MS14-064 problem” falsely claiming to put all WinRAR users in danger.

In order to better clarify what’s really happening and why WinRAR is not responsible for such issues, let’s dive a little bit deeper info this matter:

1. Supposed WinRAR self-extracting (SFX) vulnerability

As reported by seclists.org/fulldisclosure/2015/Sep/106, it is possible to create SFX archives with a specially crafted HTML text, which -if started as executable- will download and run an arbitrary executable on a user’s computer.

The entire attack is based on vulnerabilities in Windows OLE MS14-064 which have already been patched in November 2014. If you have not installed this patch for some reason it is strongly recommended to install it. It is important for the security of your entire system and is not a WinRAR specific issue. Without this patch any software utilizing MS Internet Explorer components including Internet Explorer itself may be vulnerable to specially crafted HTML page allowing code execution.

The WinRAR SFX module displays HTML in its start dialog so it is affected too, like a huge number of other tools. This issue does not create any new risk factors for SFX archives. Being an executable file, SFX archives already can do everything that can be done with this MS14-064 vulnerability. SFX archives can run any local executable or download and run a remotely stored executable utilizing the official SFX module “Setup” command. This feature is required for software installers. Regardless of discussed Windows vulnerability -as for any .exe file- users should run SFX archives only if they are sure that such archive has been received from a trustworthy source.

Read more at:

www.rarlab.com/vuln_sfx_html.htm
www.rarlab.com/vuln_sfx_html2.htm

2. Supposed “WinRAR Web Reminder Vulnerability”:

Same internet user R-73eN -who originally reported the above- informed them about his findings regarding the security of the “WinRAR Registration Reminder Window” (also called “Notifier”).

The trial version of WinRAR displays a registration reminder window which can include HTML code received through http from their and their partners’ trusted sites. According to R-73eN a user’s local network needs to be compromised in such way that a malicious man in the middle can modify contents of web pages opened by users. If additionally Microsoft’s Internet Explorer is also compromised and contains unpatched security holes like MS14-064, it is then possible for a malicious person to inject a harmful code to the WinRAR registration reminder window.

They consider such hypothetical situation as local network and browser vulnerabilities. If both network and browser are compromised it is enough for a user to open any http page in a browser or in any application utilizing http browser components to be attacked. Users need to install Windows and browser patches regularly to prevent this. They can argue about http vs. https security here, but as long as http protocol is in wide use and not deprecated, its security should be provided on a lower level than applications utilizing http engine provided by the system.

Such problems are neither their fault nor in their power to be fixed and have nothing to do with the software WinRAR itself.

Read more at:

www.rarlab.com/vuln_web_html.htm

IMPORTANT: NO PATCHES FOR WINRAR ARE NEEDED. If you have not installed Windows MS14-064 security update, please do it. It is important for your entire Windows security, not just for WinRAR SFX or WinRAR Web Reminder.

3. Share these links:

www.rarlab.com/vuln_sfx_html.htm
www.rarlab.com/vuln_sfx_html2.htm
www.rarlab.com/vuln_web_html.htm
Twitter: #notavulnerability

Leave a Response