WinRAR users are being urged to be extra vigilant when handling uninvited compressed self-extracting (SFX) files after researchers at Full Disclosure published proof-of-concept code exposing a critical flaw in the latest version of the software.
The flaw in WinRAR v.5.2.1 has yet to be patched, and can give hackers remote access to create a compressed file and execute malicious code as a user is unzipping an SFX archive.
WinRAR is a popular piece of Windows-based software with 500 million users, according to the company's website.
Pieter Arntz, a researcher with Malwarebytes, told V3 that users of WinRAR should be extremely careful about the source of SFX files.
"WinRAR users and other consumers should be especially careful when receiving SFX archives (.exe extension), as not only could the compressed file be dangerous, it could contain malicious code in the shell that is triggered when it's opened. As with all attacks like this, caution is key," he said.
However, in a response posted online, WinRAR played down the claims that the proof-of-concept is an urgent problem, saying that an SFX archive is commonly known to be vulnerable.
"Executable files are potentially dangerous by design. Run them only if they are received from a trustworthy source. WinRAR SFX archives are not less or more dangerous than other exe files," the firm said.
"[A] malicious hacker can take any executable, prepend it to archive and distribute it to users. This fact alone makes discussing vulnerabilities in SFX archives useless."
However, Gavin Millard, technical director at Tenable Network Security, warned that the size of the WinRAR user base makes the flaw a cause for concern.
"This particular bug, discovered in WinRAR which reportedly runs on 500 million systems, is relatively easy to exploit and could lead to malicious file execution by anyone clicking on an archive containing the code, from a key logger trying to steal credentials to ransomware that encrypts the files you care about," he said.
"Compressed files sent as email attachments is one way malware authors could be considering as a potential use of this flaw."
Adam Schoeman, senior intelligence analyst at SecureData, noted that the vulnerability, if used in the wild, could result in a significant increase in .rar and .zip phishing mails.
"Install base aside, this is particularly bad news because WinRAR is often bundled in software packs like the CDs which come with a new motherboard or laptop, meaning there are probably a lot people out there using WinRAR without even knowing it," he said.
WinRAR made no mention of a patch in its response, instead urging users to download .exe files only from trusted sources.
Q3 losses reverse Q2 gains
FBI briefing US companies to dump Kaspersky, claiming intelligence prove it a 'threat to national security'
Kaspersky rejects FBI accusations that its products are a 'threat to national security'
But breached contractor says that it simply didn't have that much data
EE follows Three in threatening legal action against Ofcom - but for entirely different reasons