500 million users at risk of compromise via unpatched WinRAR bug

A critical vulnerability has been found in the latest version of WinRAR, the popular file archiver and compressor utility for Windows, and can be exploited by remote attackers to compromise a machine on which the software is installed.

“The issue is located in the ‘Text and Icon’ function of the ‘Text to display in SFX window’ module,” Vulnerability Lab explained in a post on on the Full Disclosure mailing list. “Remote attackers are able to generate own compressed archives with malicious payloads to execute system specific codes for compromise.”

The flaw is critical, as exploitation requires low user interaction without privilege system or restricted user accounts. Victims only have to open a booby-trapped file, which can be delivered easily via email, and the attack is executed successfully: the system is compromised.

Vulnerability Lab researcher Mohammad Reza Espargham, who discovered the flaw, also created and published a PoC exploit for it. You can see it in action here:



The bug affects only the latest version of WinRAR, v5.21. It has been publicly disclosed on Monday, and its unclear if WinRAR developers were informed about it before that.

As far as I can tell from the release notes of the various beta versions of WinRAR v5.30 released since February, there is no mention of this bug being fixed.

Malwarebytes researcher Pieter Arntz confirmed that the PoC exploit works (with minor tweaks). He advises users to be careful when handling uninvited compressed SFX files, and to update the software as soon as an update that plugs the hole is available.

UPDATE (October 8, 2015):

Adam Kujawa, Head of Malware Intelligence at Malwarebytes, published a blog post in which he apologized to WinRAR for their initial confirmation of the vulnerability.

“We have been in communication with WinRAR and performing our own in-depth analysis of the threat to identify that what we described in our post was simply a new attack vector that could mask itself as any executable,” he explained.

“Users of WinRAR have nothing to worry about as they are not being targeted nor is the WinRAR product itself malicious or allowing malicious files to be run on the system. We have since removed our post on the subject. The malware itself would need to be double-clicked by a user (who has not patched their operating system since mid 2014) to be activated.”

“The best way to protect against this particular threat is to right click on any archive you might come across and open it using its associated tool (i.e. WinRAR) to extract it, as opposed to double clicking the archive. In addition, make sure you install the latest Windows updates as a previously patched vulnerability in Internet Explorer makes this attack possible,” he finally advised.

Don't miss