< WinRAR 5.30 Beta 4 released
06.10.2015 09:48 Age: 8 yrs

False WinRAR Security Alerts

Release date: 06.10.2015


 

Issue: 05.10.2015

Content:

Intro: False Alert, no patches for WinRAR are needed!

  1. Supposed WinRAR SFX vulnerability
  2. Supposed WinRAR Web Reminder vulnerability
  3. Links for Sharing
  4. Join us on Facebook

Dear WinRAR User,

Our organisation and our work on WinRAR have recently become victim of false accusations and exaggerations in unqualified reports globally from authors in several media channels including some reputable media sites. News and alerts are in circulation regarding supposed security threats for WinRAR called "SFX archive vulnerability", "WinRAR zero day exploit", "Mohammad-Reza-Espargham Full Disclosure" or "WinRAR's MS14-064 problem" and falsely claiming to put all WinRAR users in danger.

These reports are simply false alerts and have nothing to do with WinRAR itself, but are merely a replication of problems known to exist on systems that are already vulnerable before WinRAR is being used on those flawed systems. We are currently asking the media and security companies who spread these alerts to correct them quickly.

Some responsible authors and media channels have already corrected their alerts, but it is impossible to reach them all at once and we expect these false news to spread and possibly be accelerated through additional false reports. We would like to especially mention that many of the security sites and magazines appear to be blindly copying information about this issue. Many articles say that "We asked WinRAR to comment" but in fact we received only a few emails from merely a couple of responsible journalists who contacted us themselves.

Should you become aware of such false reports, please help us by sharing the links at the bottom of this newsletter with the authors of such articles and by posting them in the commentary sections of such articles.


1. Supposed WinRAR self-extracting (SFX) vulnerability

As reported by seclists.org/fulldisclosure/2015/Sep/106, it is possible to create SFX archives with a specially crafted HTML text, which -if started as executable- will download and run an arbitrary executable on a user's computer.

The entire attack is based on vulnerabilities in Windows OLE which have already been patched in November 2014. If you have not installed this patch for some reason it is strongly recommended to install it. It is important for the security of your entire system and is not a WinRAR specific issue. Without this patch any software utilizing MS Internet Explorer components including Internet Explorer itself may be vulnerable to specially crafted HTML page allowing code execution.

The WinRAR SFX module displays HTML in its start dialog so it is affected too, like a huge number of other tools. This issue does not create any new risk factors for SFX archives. Being an executable file, SFX archives already can do everything that can be done with this MS14-064 vulnerability. SFX archives can run any local executable or download and run a remotely stored executable utilizing the official SFX module "Setup" command. This feature is required for software installers. Regardless of discussed Windows vulnerability -as for any .exe file- users should run SFX archives only if they are sure that such archive has been received from a trustworthy source.

Read more at:

www.rarlab.com/vuln_sfx_html.htm

www.rarlab.com/vuln_sfx_html2.htm


2. Supposed "WinRAR Web Reminder Vulnerability":

Same internet user R-73eN -who originally reported the above- informed us about his findings regarding the security of the "WinRAR Registration Reminder Window" (also called "Notifier").

The trial version of WinRAR displays a registration reminder window which can include HTML code received through http from our and our partners' trusted sites. According to R-73eN a user's local network needs to be compromised in such way that a malicious man in the middle can modify contents of web pages opened by users. If additionally Microsoft's Internet Explorer is also compromised and contains unpatched security holes like MS14-064, it is then possible for a malicious person to inject a harmful code to the WinRAR registration reminder window.

We consider such hypothetical situation as local network and browser vulnerabilities. If both network and browser are compromised it is enough for a user to open any http page in a browser or in any application utilizing http browser components to be attacked. Users need to install Windows and browser patches regularly to prevent this. We can argue about http vs. https security here, but as long as http protocol is in wide use and not deprecated, its security should be provided on a lower level than applications utilizing http engine provided by the system.

We publish this information to our users in advance of another possible wave of mass media publications. WinRAR may again be blamed for network security issues or system vulnerabilities patched a long time ago. Such problems are neither our fault nor in our power to be fixed and have nothing to do with the software WinRAR itself.

Read more at:

www.rarlab.com/vuln_web_html.htm

IMPORTANT: NO PATCHES FOR WINRAR ARE NEEDED. If you have not installed Windows MS14-064 security update, please do it. It is important for your entire Windows security, not just for WinRAR SFX or WinRAR Web Reminder.


3. Links for sharing:

www.rarlab.com/vuln_sfx_html.htm

www.rarlab.com/vuln_sfx_html2.htm

www.rarlab.com/vuln_web_html.htm

Twitter: #notavulnerability

 


4. Join us on Facebook:

We would be pleased if you joined our WinRAR community on Facebook:

www.facebook.com/winrar


 

 

About win.rar GmbH:
win.rar GmbH has been the official distributor of WinRAR and RARLAB products since February 2002 and handles all support, marketing and sales related to WinRAR & rarlab.com. win.rar GmbH is registered in Germany and is represented worldwide by local partners in more than 70 countries on six continents. win.rar's declared objective is to provide first-class quality support and to optimize its software to meet customer's requirements in accordance with their valued feedback. For more information about WinRAR and win.rar GmbH please visit our website: www.win-rar.com

 


The beta download links are being expired after the final release!